News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Big forum still using 1.1.19 without problems

Started by Maxtor, September 09, 2024, 10:03:24 AM

Previous topic - Next topic

Maxtor

is it safe to run 1.1.19 stll in 2024?
the following example still running it: https://bitcointalk.org/index.php

Aleksi "Lex" Kilpinen

1.1.19 basically should not work in 2024.
But I believe they have been patching it for their own use, keeping it alive.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

They've modified big chunks of it and they've said to my face that they wouldn't move to SMF 2 because they think it has some fundamental design flaws (which 1.1 incidentally has, and that they're raising the spectre they think they found proves a limited understanding of software design, which is a different problem)

Reality: SMF 1.x will not run securely on PHP 5.6+ and will not function on PHP 7+ as provided by this site. If you were to make the many, many necessary changes, you could make it run but i can think of 3 or 4 security holes that would be present that have long since been patched in 2.0 but never were in 1.1 because it had fallen out of support.

Note that PHP 5.6 and PHP 7.x are long since tagged unsupported by the PHP team. Some server manufacturers ship patched versions but if you are at the level of understanding whether your server has such patches, you probably would be able to otherwise patch SMF 1.1 to keep it running.
Holder of controversial views, all of which my own.

Aleksi "Lex" Kilpinen

Bitcointalk has also been "working on" migrating to something else for the past decade or so.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

They approached me and Nao in 2013, offering us 2200BTC to build them a new software. (In 2013 that was worth maybe $11k USD. We said no. There was no way that was going to end well for anyone.)
Holder of controversial views, all of which my own.

Maxtor

Quote from: Arantor on September 09, 2024, 10:30:54 AMbut i can think of 3 or 4 security holes that would be present that have long since been patched in 2.0 but never were in 1.1 because it had fallen out of support.



my first question is it possible to run on php 7.4+ ?
also is there any unofficial patch for fixing those holes?

Quote from: Arantor on September 09, 2024, 11:48:55 AMThey approached me and Nao in 2013, offering us 2200BTC to build them a new software. (In 2013 that was worth maybe $11k USD. We said no. There was no way that was going to end well for anyone.)

now worth ~125mil usd $$$ !

Arantor

Quote from: Maxtor on September 09, 2024, 02:02:08 PMmy first question is it possible to run on php 7.4+ ?

Not without *significant* changes. You will need to fix every single database query, by hand, and fix multiple uses of preg_replace /e which will be a security hole.

There is no unofficial patch for fixing them in 1.1 - we fixed them all in 2.0 more than a decade ago.
Holder of controversial views, all of which my own.

Steve

It is highly recommended that you upgrade to 2.1.4 ...
DO NOT pm me for support!

Arantor

BCT ain't never going to upgrade.

I can see the appeal of 1.1 in some ways though - there are themes for 1.1 that never got updated for 2.x. I have a decent collection of very old themes kicking around that no one has updated, though many of them are both products of their time (circa 2006) and in dire need of rethinking to make responsive in the modern era.
Holder of controversial views, all of which my own.

Steve

Shame that. The security updates alone would make me want to update.
DO NOT pm me for support!

Arantor

BCT seems confident enough in their setup. After all, they completely replaced how passwords were hashed, I think they went to something similar to what SMF 2.1 did but without using any of the code from SMF's GitHub to do it. They assured me they knew better.
Holder of controversial views, all of which my own.

Steve

DO NOT pm me for support!

Advertisement: