Topic: Greater security as a 1.3 goal?

I know secure code is everyone's goal nowadays, but is it an explicit goal of the punBB 1.3 dev effort to improve on the security of punBB?

1.2.14 seems pretty good and stable, but I am worried that 1.3 - with its hundreds of new hooks, it's new this, new that - could also open a few new doors to exploitation.

I write this after reading in the latest SANS Consensus Security Alert (http://www.sans.org/newsletters/risk/) of a batch of new exploits for common forum packages (but not punBB so far). They just keep coming, and all popular forums are pretty much under constant onslaught.

It would be nice to think extra security awareness was in 1.3, balancing out its new features...

Re: Greater security as a 1.3 goal?

As far as I know, PunBB hadn't any major security flow mass exploited. Nothing compared to PHPBB and the like.

And from what I read, security is not a "major thing to do" in 1.3, because there is nothing to do, really. If they find flaws, they will address them. And of course on the other hand they won't write specific flawed code.

So yes they could say it if it make some feel better, but it's just an illusion; 1.3 has no reason to be more or to be less secure than the previous version; and those were nicely secured.

Re: Greater security as a 1.3 goal?

i really hope that the transition from 1.2.x to 1.3.x is going to be a smooth one. many of us out here run highly modified punbb's that converting over to the 1.3 (if painful) will not be a welcome unless it is, in fact, an easy smooth transition.

~thegleek

4

Re: Greater security as a 1.3 goal?

sirena,

Being part of the project, I'm privy to the conversations the developers have, and I can say with certainty that they know their stuff. PunBB 1.3 will have it's bumps, no doubt, but you can rest assured that they will get ironed out very quickly.

Re: Greater security as a 1.3 goal?

hcgtv wrote:

sirena,

Being part of the project, I'm privy to the conversations the developers have, and I can say with certainty that they know their stuff. PunBB 1.3 will have it's bumps, no doubt, but you can rest assured that they will get ironed out very quickly.

Cool. I don't doubt the developers know their stuff. The robustness of punBB sure shows it.

punBB's robustness to date (IMHO) seems in part related to the 'leanness-by-design' Rickard has been pretty good at sticking to.

I just worry that with with greater code complexity of 1.3 (and more cooks) the probability of bugs/vulns in the punBB 'core' inevitably goes up.

I still have nightmares over my experience using the Mambo CMS several years ago. The core dev team kept expanding, the code base swelled, features mushroomed, and it became a hackers paradise and a web managers nightmare.

Optional add-ons and plug-ins will always be of highly-variable quality, but it would be good if the punBB core code stayed lean, mean and secure as things go to 1.3 smile

Re: Greater security as a 1.3 goal?

Sirena, that's exactly why some developers stick to other approach of things. PunBB is one, Textpattern is another. Keep the core slim, fast, light, don't bloat it, and let the plugins do other jobs.

7

Re: Greater security as a 1.3 goal?

sirena wrote:

I just worry that with with greater code complexity of 1.3 (and more cooks) the probability of bugs/vulns in the punBB 'core' inevitably goes up.

Don't worry, trust me, you can eat off the kitchen floor wink

http://dev.punbb.org/changeset/757