• sirena
  • sirena
  • Senior Member
  • Offline
  • Registered: 2006-04-06
  • Posts: 473

Topic: Greater security as a 1.3 goal?

I know secure code is everyone's goal nowadays, but is it an explicit goal of the punBB 1.3 dev effort to improve on the security of punBB?

1.2.14 seems pretty good and stable, but I am worried that 1.3 - with its hundreds of new hooks, it's new this, new that - could also open a few new doors to exploitation.

I write this after reading in the latest SANS Consensus Security Alert (http://www.sans.org/newsletters/risk/) of a batch of new exploits for common forum packages (but not punBB so far). They just keep coming, and all popular forums are pretty much under constant onslaught.

It would be nice to think extra security awareness was in 1.3, balancing out its new features...

  • From: France
  • Registered: 2004-11-06
  • Posts: 695

Re: Greater security as a 1.3 goal?

As far as I know, PunBB hadn't any major security flow mass exploited. Nothing compared to PHPBB and the like.

And from what I read, security is not a "major thing to do" in 1.3, because there is nothing to do, really. If they find flaws, they will address them. And of course on the other hand they won't write specific flawed code.

So yes they could say it if it make some feel better, but it's just an illusion; 1.3 has no reason to be more or to be less secure than the previous version; and those were nicely secured.

Jeu de rôle en ligne sur table virtuelleShadowrun FranceChez Blacky

Jérémie's Website

  • From: Detroit, MI USA
  • Registered: 2006-08-11
  • Posts: 80

Re: Greater security as a 1.3 goal?

i really hope that the transition from 1.2.x to 1.3.x is going to be a smooth one. many of us out here run highly modified punbb's that converting over to the 1.3 (if painful) will not be a welcome unless it is, in fact, an easy smooth transition.

~thegleek

thegleek's Website

4 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: Greater security as a 1.3 goal?

sirena,

Being part of the project, I'm privy to the conversations the developers have, and I can say with certainty that they know their stuff. PunBB 1.3 will have it's bumps, no doubt, but you can rest assured that they will get ironed out very quickly.

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • sirena
  • sirena
  • Senior Member
  • Offline
  • Registered: 2006-04-06
  • Posts: 473

Re: Greater security as a 1.3 goal?

hcgtv wrote:

sirena,

Being part of the project, I'm privy to the conversations the developers have, and I can say with certainty that they know their stuff. PunBB 1.3 will have it's bumps, no doubt, but you can rest assured that they will get ironed out very quickly.

Cool. I don't doubt the developers know their stuff. The robustness of punBB sure shows it.

punBB's robustness to date (IMHO) seems in part related to the 'leanness-by-design' Rickard has been pretty good at sticking to.

I just worry that with with greater code complexity of 1.3 (and more cooks) the probability of bugs/vulns in the punBB 'core' inevitably goes up.

I still have nightmares over my experience using the Mambo CMS several years ago. The core dev team kept expanding, the code base swelled, features mushroomed, and it became a hackers paradise and a web managers nightmare.

Optional add-ons and plug-ins will always be of highly-variable quality, but it would be good if the punBB core code stayed lean, mean and secure as things go to 1.3 smile

  • From: France
  • Registered: 2004-11-06
  • Posts: 695

Re: Greater security as a 1.3 goal?

Sirena, that's exactly why some developers stick to other approach of things. PunBB is one, Textpattern is another. Keep the core slim, fast, light, don't bloat it, and let the plugins do other jobs.

Jeu de rôle en ligne sur table virtuelleShadowrun FranceChez Blacky

Jérémie's Website

7 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: Greater security as a 1.3 goal?

sirena wrote:

I just worry that with with greater code complexity of 1.3 (and more cooks) the probability of bugs/vulns in the punBB 'core' inevitably goes up.

Don't worry, trust me, you can eat off the kitchen floor wink

http://dev.punbb.org/changeset/757

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website