Talk:PhpBB/Archive 6

Archive 1

←

Archive 4

Archive 5

Archive 6

Archive 7

ForumImages.com

Given my views on phpBBhacks.com, this question will probably bite me, but this link seems sketchy. Jake b 04:32, 12 March 2006 (UTC)

I agree that t has more ads than I care for, however it has fewer than phpbbhacks and that gets included so... Anon 07:43, 12 March 2006 (UTC)

Remember that advertising is but one metric used to decide if a link is relevant/valid. There's also the question of is the link promotional? Is the site relevant? Does it add something to the article or provide a resource for readers curious about the subject matter? You can check Alexa and see how popular the site is (or isn't). It might also be worth seeing if the person who added the link also added it to other articles (that would definitely classify it as linkspam). Just some ideas. =) —Locke Cole • t • c 07:50, 12 March 2006 (UTC)

Ok, I took the 5 urls from the other section, and put them in an alexa graph. phpbbhacks.com is there for comparison: [1]

It shows that phpbb-styles.com, forumimages.com and forumtemplates.com are all non-popular domains (as for alexa ranking: [2] ).

Jake b, can you expand on why you think its sketchy? I think that will help us all see if we have an agreement as to why it should be removed. NeoThermic 18:47, 12 March 2006 (UTC)

Advertising aside, it does not seem to have much of anything new or unique, most of its downloads are from other sites, its inclusion seems self-promotional. Of its class of web site, it is not by any measure the best to include. If you are going to suggest that it is of the same class as phpBBhacks, than I would say that may be so, but it does not even meet the standard of phpBBhacks, it is by far NOT "best of class". It should not be included at this time, but improvement could change that. I guess that the design itself is atrocious is not really relevant, although I don’t know if I’d be getting templates there. Kind of reminds me of a pirate software crack site... Jake b 01:36, 13 March 2006 (UTC)

"It might also be worth seeing if the person who added the link also added it to other articles (that would definitely classify it as linkspam)." T'was me that added it, and I didn't link it to anything else

However I see this as a goodsite, and until you provide proof otherwise it shall stay, and any attempts to remove it shall be challenged. Anon 02:29, 13 March 2006 (UTC)

Nothing more than a childish protest over phpBBhacks. Stomp you feet, Anon. Jake b 04:05, 14 March 2006 (UTC)

WP:AGF please. And yes, I'm still against the inclusion of phpbbhacks, however that it not a reason to not link to this perfectly valid site. Anon 09:06, 14 March 2006 (UTC)

Than perhaps you can justify its inclusion? Or is it "just because"? It is a genuinely crappy site, so your non-argument thus far supports the idea that it is a protest inclusion. Which opens the door to more of the same (though not from me), if that's the way you like it.Jake b 18:54, 14 March 2006 (UTC)

Because like phpbbhacks, it provides downloads that are relavent to customising a forum. Why should it not be linked to? Anon 19:25, 14 March 2006 (UTC)

So, it REALLY IS sour grapes about phpBBhacks and not because the site itself adds any significant content over what is here already? As I thought. Also, do I need to point out to you that in fact there was significant discussion about phpBBhacks, and none at all about this fan site you have added? Maybe an analysis of its content against what is already represented in current listings is in order? Jake b 21:41, 14 March 2006 (UTC)

Can you provide a reason it should not be included? Does it not provide resources that are useful? Anon 04:48, 15 March 2006 (UTC)

"Does it not provide resources that are useful?" Yes, it does not. All that is contained at that site is better offered with other already listed sites. And they are more pleasant to the eyes as well. What did you do, go out and find the worst possible example of a marginally useful phpBB site, just to grind your ax against the inclusion of phpBBhacks?

Anyway do you really want to open that door? I can sift the Internet and come up with a list of twenty or thirty sites as good as the one we are talking about. You can no longer have any objection to that, given your present position. Is that what you want? Are you such a child that you would destroy this article just to be "right"? Of course I'm not going to lower myself to that level. Let me ask you: Are you 14 years old? Because you act it (that's not a personal attack, it's an objective observation).

As a phpBB Team Member (that is, a member of the phpBB Group), this type of behavior does not reflect very good on you, or phpBB. Jake b 16:00, 15 March 2006 (UTC)

You should know that my views do not reflect those of the phpBB Team. This site indeed provides themes to download. Therefore it must be a resource to aid in administrating a forum. If you don't find the site's design to your tastes, that's your problem. I don't believe anything in the Wiki linking guidelines says something like "Thou shalt not link to a page which one person thinks is ugly". As far as I'm concerned, it provides useful downloads like phpBBhacks does, and it should stay. Unless you can find a Guideline or Policy which states otherwise.

And yet again, WP:AGF and WP:NPA. There is no reason for you to attack me. Anon 19:12, 15 March 2006 (UTC)

I do not believe that you listed that site in "good faith", so no, I don’t assume it anymore after seeing your behavior here. You didn’t get your way with phpBBhacks, and you’re still trying to stir the pot (that’s known as “sour grapes”). Why do you refuse to discuss the benefits and finer points of including ForumImages.com, of how exactly it adds value in addition to what is already here? Why exactly is that? Your motives are obvious, and there is no “good faith” involved. Jake b 00:25, 16 March 2006 (UTC)

I am more than willing to discuss it. It would appear that you on the other hand, are not. Anon 04:45, 16 March 2006 (UTC)

FuntKlakow-bot

Has anyone else heard about the FuntKlakow bot, and think it is worthy of a mention? [3] Even if not, at least let it be a warning to anyone running phpBB forums out there! -- Chuq 04:49, 19 March 2006 (UTC)

No, it's incredibly easily defeated. In the same way, NeverEverNoSanity isn't given much of a mention. Anon 04:16, 20 March 2006 (UTC)

phpBB "Fan Site"

I will ask those who are editing the page to stop changing the link to forumimages.com from "phpBB Styles Downloads" to "phpBB Fan Site". Unless you have a very good reason, this site is in fact phpBB Styles Downloads and should be labeled as such. Changing the text in the hope that people who potentially don't visit it and who do visit it for the wrong reasons is rude. Thanks. Anon 08:31, 30 March 2006 (UTC)

• Seconded. It should remain at "phpBB Styles Downloads". - Sikon 08:50, 30 March 2006 (UTC)

Platform

phpBB will run on other databases besides mysql. From the Features page:

phpBB uses a database abstraction layer to enable seamless support of several database servers:

   * MySQL 3.2x,
   * PostgreSQL 7.x,
   * Microsoft SQL Server 7/2000
   * Microsoft Access (via ODBC)
   * ...with more databases available in the future.

I changed the platform back to www/php/sql. Should these specific db's be taken inot account or is sql good enough?

A little biased towards phpBB?

The advantages and all the positives of phpBB are listed, but none of the disadvantages, it's history of security flaws, etc. I'm not well versed on the topic, but I've heard MANY security complaints over the years about phpBB. Perhaps they have been resolved, perhaps not - but none of this information is in the article. I'm not in the know about them, but I thought it should be brought to attention. —Preceding unsigned comment added by Olenikm (talk • contribs) 07:00, 21 May 2006 (UTC)

I agree; this article is lacking in that aspect, and has been for some time. I may look up the security history of phpBB when I get the chance. æle ✆ 2006-05-21t13:30z

ummm... neither do MyBB, Simple Machines Forum, VBulletin or IPB, so why should phpBB? And of course it's a little bias, It's the subject of the article. As for security, most of the complaints come from people who don't update it. Same reason you don't say why the other BBS systems have security flaws, because they're only a problem if you don't patch them. Edward NZ 20:26, 21 May 2006 (UTC)

Asinine. I does not matter in the least what other articles have or do not have. Discussion of any and all security issues has long been censored from this article by a number of people, several of whom have close connections with phpBB. They achieve their censorship through breaking down people who want to include such material. Any such submissions are quickly reverted and sit in "committee" here in the talk section until the submitter loses interest. That's called censorship. Yet the fact that phpBB security issues have been covered in the mainstream press over and over and over gets brushed under the rug. For those that have not followed this article for long, it is wholly owned by the phpBB Group.Jake b 22:00, 31 May 2006 (UTC)

It doesn't matter what those other articles have, it doesn't change the fact that this article is quite biased. Maybe those others are, too, in that case, they should be revised as well. So what if it's the subject of the article? That doesn't mean it should be biased towards it. Do you think it would also be okay for articles on christianity, athiesm, or, hell, scientology to not have any criticisms of themselves on their pages? And you say security isn't an issue if the board is kept updated...for starters, I don't believe you, just based on the many, many horror stories I have heard about phpBB security. Perhaps it's fine these days, but it should still be in the article, if for no other reason than to dispell the myth that phpBB is still insecure - because I know many people do believe that phpBB has security issues. I just think it should be discussed, that's all. --Emon 21:35, 23 May 2006 (UTC)

Well, using this section of the talk page as your testbed, what sort of addition do you have in mind? Previous talks about security on the main page have been removed due to glaring inaccuracies or NPOV violations. It would be intresting to see such talk. NeoThermic 00:59, 24 May 2006 (UTC)

Naturally it will have to pass your approval. Let no one here be confused that this article is wholly owned by the phpBB Group. Don't expect any real discussion of past or present security issues (that where plastered all over the press, but apparently not important enough for the Wiki article)Jake b 22:01, 31 May 2006 (UTC)

Perhaps it is your constant assumption of bad faith that is at fault. You haven't pointed out any definitive sources despite claiming that there are so many. No original research, please. æle ✆ 2006-06-01t00:37z

Out of the 9,740,000 results from "phpbb security" at Google, many of the top results are point to respected sources such as www.us-cert.gov, and others. Are you blind? As to "bad faith", none exists. It's just that I've read the complete phpBB talk history. No faith is different than bad faith. Jake b 02:47, 1 June 2006 (UTC)

9,740,000 entries and u can't even post one. in fact, if i did not now better, i woud guess that u were simply wanting other people to do the work for u. and in any event, that it is mentioned on www.us-cert.gov does not make it notable. it may be notable, but being mentioned by www.us-cert.gov does not make it so. personally, i think that if u want to provide evidence that a specific vulnerability is notable, u ought not cite a site whose goal is 2 list every single vulnerability that has ever been discovered in every single application, ever. doing so is rather like trying to prove that someone from some high schools graduating class is notable simply because they appear in that yearbook. Never-mind the fact that everyone appears in that yearbook.

also, i have to ask - were u running a phpbb that got hacked or something? cuz, despite your claims, u seem rly pissed off at phpbb. 83.149.72.211 03:29, 1 June 2006 (UTC)

Jake b, If you have anything that is neutral POV and covers everything to do with phpBB Security, feel free to post it here for review. If you don't, kindly don't stir the pot. Thanks. Edward NZ 07:58, 1 June 2006 (UTC)

Having "read the entire phpBB talk history" does not excuse you from civility or discussion. Anyway, if we want some concrete evidence, we may as well start with the Secunia vulnerability list. æle ✆ 2006-06-01t20:26z

Being "civil" or not has nothing to do with my right to express my opinion that this article is controlled by the phpBB Group (it is), and there for biased (it is). Feel free to disagree, but the evidence (review the phpBBHacks.com to-do) is strong that views that are not in accordance with those of the phpBB Group get shouted out by contributors here who have well established ties to the phpBB Group. In other words, any suggestion that a section that contained security / code standards criticisms could be included is pretty much a fraud. Jake b 17:24, 5 June 2006 (UTC)

If you think that this article needs a section detailing about security problems, then by all means add one.

You also might wish to have a look at TINC. NeoThermic 18:03, 5 June 2006 (UTC)

You have not yet proposed any possible wordings of such a section. Why not write one and bring it to discussion? And, by the way, the only rights users have on Wikipedia are the rights to fork and leave. There is no right to free speech on Wikipedia. æle ✆ 2006-06-05t18:14z

Actually, some of the past problems have been in the wiki article, but because of the glaring inaccuracies and general FUD, they were removed (I might note not by me or any of the phpBB team...). I only wish the truth to be known, which is while phpBB has had previous problems, it is the only forum software that I know of that has had a full security audit on its codebase. NeoThermic 20:55, 1 June 2006 (UTC)

The biggest indication that this whole article is a "puff piece" owned by the phpBB Group and its flunkies (you know who you are) is the lack of a section discussing the security vulnerabilities that many attributed to phpBB. Yes, yes, we all know that it was a much more complicated issue that relates to vulnerabilities in php itself, but to ignore that these vulnerabilities effected the security of past versions of phpBB in a disturbingly critical way is indeed disturbingly selective memory. But I guess it’s to be expected in a public relations press release like this article. Jake b 16:54, 8 June 2006 (UTC)

As I posted above: If you think that this article needs a section detailing about security problems, then by all means add one. You also might wish to have a look at TINC. NeoThermic 22:08, 8 June 2006 (UTC)

NeoThermic: "the only forum software that I know of that has had a full security audit on its codebase" Can you source this claim? Otherwise I'd consider it as a fanboy claim. --Rasbelin 04:32, 28 June 2006 (UTC)

If you had done a Google search for security audit you would have found [[4]] and [[5]]. If other forum softwares have had security audits NeoThermic does not know about them. Does that make more sense? 216.40.225.203

It's the responsibility of the one that makes the claim to source it somewhere, not mine. That's how Wikipedia anyway works. Now the threads you pointed out, don't have any viable claims that are worth putting into the article, because the reference made to an audit is a very unprecise statement. The reader is left without details how thorough it has been and who has carried it out. For it to be worth to be mentioned, it should be carried out by some credible party. Furthermore the audits are already outdated, as more vulnerabilities have been found since those threads were posted. And I highly doubt the commercial competitors wouldn't have done their fair share of auditing. --Rasbelin 13:38, 28 June 2006 (UTC)

For it to be worth to be mentioned, it should be carried out by some credible party

Such as? How do you define a credible party? For example, the people in the audit group for phpBB included Paul Laudanski, who runs castlecops.com and is a Microsoft MVP in Windows-Security. Does he count as credible? As for the comment about it being outdated, the vulnerabilities found after the audit were XSS that only affected IE due to the way it parses some of the most amazingly invalid HTML.

As for the source of my claim about phpBB being the only forum software that I know of that has had an audit, a google search on vbull's site turns up nothing, neither does one for invisionpower's site (makers of IPB); and exactly the same result for SMF's site. If you know of any forum other than phpBB that has had one, I'd be happy to hear about it. NeoThermic 15:08, 28 June 2006 (UTC)

A credible party is one who's not anonymous, somekind of a relationship with computer security and which can be actually sourced from a source that be used as reference in this Wikipedia article. The announcement threads on the phpBB community forums only contained very remote references to who was been involved. Now these two references are not really credible, especially as they're so unspecific in terms of details. Sure, there might have been an audit sometime in the past, but there's far too obscure details about it, in order to have it included. As for what other vendors have done, I only said that I myself highly doubt they wouldn't have. Notice I did not ever claim that they have done so for certain. I do however speculate that they haven't had a need for that, because they haven't had a bad reputation for being especially vulnerable in terms security, unlike the reputation phpBB has had. This reputation most likely has made them do an audit. Usually something like a PR issue causes someone to advertise a security audit. --Rasbelin 07:20, 29 June 2006 (UTC)

And now you're going into speculation and things that can't be proved. The choice of doing an audit is soly to get an extra check on the code to make sure there's no critical issues with the secuirty of it. Other software would of had an audit (like Vista for example); but that doesn't only mean it was done in response to a "reputation", it is a key part of good software writing. It also isn't a PR issue to announce such audits have been done. Indeed, the NSA have audited most of the encryption/hash algo's, and that information is public. Are you going to tell me that is in response to a PR issue and a "reputation"? No, its a sign that the code has been checked and is secure.

A credible party is one who's not anonymous, somekind of a relationship with computer security and which can be actually sourced from a source that be used as reference in this Wikipedia article.

Does this suffice? https://mvp.support.microsoft.com/profile=51727e0b-6c4d-49d0-a642-67dd3d7fdddc

NeoThermic 10:48, 29 June 2006 (UTC)

Being MVP in Windows security has nothing to do with web application security and being good at PHP and SQL related security. Furthermore you still haven't established a clear public link between this person and the phpBB project. Any statement about him being related to the audit couldn't be sourced, because I haven't yet seen anyone actually point out a clear public link between him and the audit. So can anyone now please show some public source which would contain details about the audit having been carried out by some neutral party with knowledge in web application security? If not, the whole security audit unfortunately sounds like a very vague claime. If there's facts to back it up with, then good, let's update the article to reflect that. As for reputation/PR, you can't claim that phpBB wouldn't have suffered from bad reputation caused by the repeated security vulnerabilities found in it in the past few years. That's something the phpBB Group itself too has recognised. Regarding the reasons for the audit, it's indeed a matter of opinion, which is why I wasn't suggesting anything like including it. --Rasbelin 14:41, 29 June 2006 (UTC)

I take it you did not bother to use google to find the large list of things related to web applications that Paul Laudanski has done reports for. Also, secuirty in windows applications does relate to web applications because both of the require user input, and with that must secure the user input to make sure that nothing bad can be done. The general principle of finding security holes applies across all platforms, languages and applications, web or not.

As for the clear public link, there was one, but this was removed a few months ago (the audit group was listed on the about page). I will see what I can do about getting that information back in the public view.

Finally, I'm not claiming that phpBB has't been attached a bad reputation, but I'm stating that it wasn't a major reason for an audit to be done. It was brought up that there was no audit done since 2.0 was released, and thus one was done due to the number of changes phpBB has had and the changing landscape of web security. NeoThermic 20:38, 1 July 2006 (UTC)

Furthermore the audits are already outdated, as more vulnerabilities have been found since those threads were posted.

Oh? Remember what you told me - It's the responsibility of the one that makes the claim to source it somewhere, not mine. Can you source your claim anywhere? 216.40.225.203 17:05, 28 June 2006 (UTC)

The announcement forum of the official phpBB community forum contains quite a few announcements about the security related updates, which have been released since the acclaimed audits. --Rasbelin 07:20, 29 June 2006 (UTC)

Then it shouldn't be that hard to find one, should it? As for the audit being out of date - please. Any audit is made out of date after changes have been made. So can an audit ever be up to date? To me, what your observation means is that it wasn't fully comprehensive, but no auditor worthy of that title would claim to be fully comprehensive, anyway. Does that mean the NSA was at that time a stupid organization, not worthy of the tasks it had been given? Look at DES. It was audited by the NSA in 1974 yet it is no longer considered to be a secure algorithim. Look at MD5. It was reviewed by the academic community and thought to be secure until 2004. Does that mean that everyone in academia, prior to 2004, were idiots?

Furthermore, all of the pre-2004 attacks found on MD5 are insignificant. To claim that they make those attacks make MD5 is like claiming that solar flares - which eject trivially insigificant portions of the sun - make the sun less bright. Likewise, are the vulnerabilities found in phpBB to phpBB as solar flares are to the sun or are they actually notable? If they are not notable I can see an auditor whose trying to prove his worth not mentioning those simply because he'd rather people think that he just wasn't doing an audit instead of having people think that all he can find are insignificant issues that no one cares about. 216.40.225.203 08:22, 29 June 2006 (UTC)

20-30 years (in the case of DES) is a very different thing than from several months up to a year, which was the case with phpBB and the new exploits which have been found since the acclaimed audit of the code. Of course it's plausible that it can't be expected that the code is still secure after some 20-30 years, but having issues after under a year since an audit is a pretty different thing. "To me, what your observation means is that it wasn't fully comprehensive" Indeed that was my observation, because apparently there's a lack of details about this acclaimed audit. I seriously still would like to see actual details on it, so that it can be included as a sourced and credible statement. This is after all supposed to be an encyclopedic project, not some sort of phpBB PR stand. BTW, as you I'd register and sign my comments with a name. --Rasbelin 14:41, 29 June 2006 (UTC)

Security

I have added a section about phpBB and security issues. I tried to keep it as unbiased as possible, mentioning that phpBB has (like every other forum system) had its share of security problems, but also noting that the team is doing many things to make sure that phpBB users and administrators are protected. 88.64.68.227 14:22, 19 June 2006 (UTC)

Not bad but I'm not sure about the opening few lines. "The security of phpBB has been disputed recently." By whom? Is there a source? Also I've been around phpBB since about version 2 was released and seen many critiscisms of its security as each new bug was found, so I'm not sure how "recently" fits. The next part "Some people say that phpBB is an insecure product, whlie others say that it doesn't have more security problems than other forum systems." I again ask who? "Some people" could mean a friend of yours and his dog. It's good you've mentioned things like CAPTHCA and so on but the opening I felt was lacking sources (or just needs to be removed and re-worded appropriately). The rest is good. Yay unto the Chicken 07:50, 20 June 2006 (UTC)

The problem is, that you notice such things when browsing the net. It's hard to find good sources, but I think security mailing lists, maybe CERT would be good sources. If you feel like rewording it, go ahead, I've tried to do my best writing something that doesn't get delete out right away ;) 84.56.43.145 09:56, 21 June 2006 (UTC)

What about citing the phpBB changelogs? About the "it's recently been disputed" bit - isn't that about as encyclopedic as saying "lots of people don't like Taco Bell"? If there's a reason lots of people don't like it then it is that reason should be mentioned - not some intangible "people just don't like it" 70.98.54.10

Ok, maybe could reword the whole section a little, I think that it should be included, but I'm a little unsure about how to word it (haven't been editing Wikipedia for long). 84.56.25.100 23:15, 22 June 2006 (UTC)

The entire section needs rewriting, take a look at Wikipedia:Avoid_weasel_words. If you want to add a security section, cut out all of the "Some people say" and "This can be argued". Present only facts with references, not opinion - list the vulnerabilities with their fixes and the reaction by the phpBB group if you like so people can read the facts, not any one persons opinions on how secure phpBB is. --82.6.205.188 21:11, 23 June 2006 (UTC)

Will do so - after today's classes and work ;) 129.187.41.16 09:38, 26 June 2006 (UTC)

I've tried to clean it up a bit. Thoughts? Anon 22:02, 2 July 2006 (UTC)

I removed the weasel word label and polished a few minor wordings (could have done all as one edit, but I had page loading issues). Aside of that, your edits make it okay. However the security audit should still be sourced to some public information to make it look like a credible statement. It's something I'm quite sure otherwise will be questionised by others in the future. --Rasbelin 09:25, 3 July 2006 (UTC)

Looks nice. 129.187.100.216 12:22, 3 July 2006 (UTC)

a series of new versions in a relatively small timeframe

I think its best we define what is ment by small timeframe. Here's a list of the last 5 phpBB releases:

.21 - 2006-06-09

.20 - 2006-04-07

.19 - 2005-12-30

.18 - 2005-10-30

.17 - 2005-07-19

As you can clearly see, the smallest gap between two releases has been two months (.20 to .21), while in just this limited sample, the largest gap has been approx. four months. I don't think these gaps are small. NeoThermic 11:09, 3 July 2006 (UTC)

No, the gaps are not small. The only small gap IMO was the one between .12 and .13, but that one got stuck in people's minds. The release times are normal for a project of this size. 129.187.100.216 12:22, 3 July 2006 (UTC)