diff options
Diffstat (limited to 'zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html')
| -rw-r--r-- | zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html b/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html new file mode 100644 index 000000000..2c5544412 --- /dev/null +++ b/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html @@ -0,0 +1,151 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html> +<head> + <meta content="text/html; charset=ISO-8859-1" + http-equiv="Content-Type"> +</head> +<body text="#000000" bgcolor="#ffffff"> +Le 27/09/2010 10:02, Romain d'Alverny a écrit : +<blockquote + cite="mid:AANLkTinN0Z63ixrr6XvpryQzFPsDXXt098xqMRXNPcdB@mail.gmail.com" + type="cite"> + <pre wrap="">Hi, + +On Mon, Sep 27, 2010 at 08:19, Tux99 <a class="moz-txt-link-rfc2396E" href="mailto:tux99-mga@uridium.org"><tux99-mga@uridium.org></a> wrote: + </pre> + <blockquote type="cite"> + <pre wrap=""> +I did a quick comparison of the most common forum software packages +(both commercial and FOSS) from a vulnerability point of view. + +I'm subscribed to the well known (every sysadmin that takes his/her job +seriously is subscribed to it) weekly SANS "@RISK: The Consensus +Security Alert" newsletter since 2000, so I have an mbox archive file +that contains almost 11 years worth of weekly alerts of software +vulnerabilities. + +A quick an easy way that I have used before to assess the vulnerability +of any software is to do a simple grep of the software name in this mbox +file and count the times that software gets mentioned. While this is not +100% scientific it gives a good approximation of the amount of +vulnerabilities a particular software has suffered from. + </pre> + </blockquote> + <pre wrap=""> +Indeed. It's interesting. But ranking only by the disclosed number of +vulnerabilities in the past does not assess what will be in the +future. It's not enough. + +What would be an additional important figure is, how long has it been +for each vulnerability to be fixed; how many users each has had, etc. + +Plus, what type of vulnerability. Plus, for what branch of the +software (I guess, for instance, phpBB 2.x and 3.x are a bit +different). + </pre> +</blockquote> +Hi,<br> +<br> +phpbb2 and phpbb3 share very few lines of code afaik<br> +<br> +And statistics are enough to explain :<br> +<br> +phpBB2: 38 advisories (27 vuln) 0% unpatched<br> +<a class="moz-txt-link-freetext" href="http://secunia.com/advisories/product/463/">http://secunia.com/advisories/product/463/</a><br> +<br> +9% highly critical, 34% moderate, 49% low, 9% not<br> +<br> +phpBB2 is/was a well known security nightmare :o)<br> +<br> +----<br> +<br> +fudForum: 2 advisories (2 vuln) 0% unpatched<br> +<a class="moz-txt-link-freetext" href="http://secunia.com/advisories/product/5530/">http://secunia.com/advisories/product/5530/</a><br> +<br> +50% highly critical, 50% moderate<br> +<br> +The critical one allowing system access :o)<br> +<br> +----<br> +<br> +phpBB3: 4 advisories (5 vuln) 0% unpatched<br> +<a class="moz-txt-link-freetext" href="http://secunia.com/advisories/product/17998/">http://secunia.com/advisories/product/17998/</a><br> +<br> +0% highly critical, 25 % moderate, 75% low<br> +<br> +---- <br> +<br> +I crearly consider phpBB3 not less secure than fudForum can be :)<br> +<br> +<br> +<blockquote + cite="mid:AANLkTinN0Z63ixrr6XvpryQzFPsDXXt098xqMRXNPcdB@mail.gmail.com" + type="cite"> + <pre wrap="">What we do need is a forum that matches our needs; actually pretty +basic, but maybe for having good admin features, excellent +hackability, extensability, being well documented, having a nice +community of developers around it. And, provided we're in the free +software thing, we want to be able to share changes as well (would it +be only through our own community) without worrying. + +So, requirement #1: open source license (as in <a class="moz-txt-link-freetext" href="http://opensource.org/">http://opensource.org/</a> ). + +[...] + +Romain + </pre> +</blockquote> +when it comes to forum engine choice there are many things important to +consider (in particular if we are optimistic enough to consider it +could grow with Mageia future success).<br> +<br> +Security is one of them.<br> +<br> +If the forum is supposed to grow we must have something properly +working under rather high load... than can involve a separate server +for database (or even something stronger) that can also involve a forum +engine that proved it's ability to survive high loads (and the biggest +in <a class="moz-txt-link-freetext" href="http://www.big-boards.com">http://www.big-boards.com</a> runs phpBB3).<br> +<br> +Very *very* important if we want to be able to deal with trolls and +forum users experience : we must have moderation needs being well +addressed (global topic management with topics splitting and merging, +easy messages management (editing, suppressing, moving... hiding ?), +easy user management including things like temporary moderation of +messages to calm down trolls and other useful thing like detection of +multiple accounts creation, temporary or definitive <span + id="result_box" class="short_text"><span + style="background-color: rgb(230, 236, 249); color: rgb(0, 0, 0);" + title="">banishment, ability to give extended rights to "special" +people (dev, bug squad, doc writers, </span></span>technical support...)<br> +<br> +If we want to provide a good user experience we must have something +that provide a templating system easy to understand and to play with.<br> +<br> +Then there are administration features (bot management, forum +structure, fine grained access control and tuning)<br> +<br> +And obviously hackability is important to allow things like SSO and +other cool things (perhaps nice RSS features ? Mailing Lists connection +? Button available to Technical support team and moderators allowing to +send an alert on Cauldron list if a post can be interresting for devs ? +Bugzilla connection ?)<br> +<br> +Something very secure that cannot do the job or that will make +moderators life a hell and user experience a pain is not the ideal +forum engine imho<br> +<br> +All this parameters (and others less important) need to be taken in +account and the first people whom i would listen to are future +administrators and moderators... because they will suffer with it every +day... and beacause the quality of their work and attitude toward forum +users will be the first thing likely to attract people and give a good +reputation to Mageia community :)<br> +<br> +my2cents<br> +<br> +Maât<br> +<br> +<br> +</body> +</html> |