[Mageia-dev] A comparison of forum software from a security POV

Mon Sep 27 12:40:19 CEST 2010

Le lundi 27 septembre 2010 à 10:02 +0200, Romain d'Alverny a écrit :
+
+> What we do need is a forum that matches our needs; actually pretty
+> basic, but maybe for having good admin features, excellent
+> hackability, extensability, being well documented, having a nice
+> community of developers around it. And, provided we're in the free
+> software thing, we want to be able to share changes as well (would it
+> be only through our own community) without worrying.
+>
+> So, requirement #1: open source license (as in http://opensource.org/ ).
+
+Yup.
+
+I think we should compile a list of requirements first , and them use
+this to select possibilities.
+
+So let's try : 
+
+good admin features 
+-> lock down thread
+-> move thread between forum
+-> accountability of such changes, at least for admin
+-> transparency of who manage what
+
+hackability / extensibility
+-> support for extension ?
+--> a good ecosystem of extension ?
+-> written in a know language
+-> well written
+--> use existing and well know framework/modules ( ie, not a custom one
+of possible )
+
+being well documented
+-> good user documentation
+--> translated documentation
+--> clear documentation ( screen shot ? )
+-> community around it
+--> well know by people
+
+free license
+-> AGPL would be a plus, but that's just for me :)
+
+as a sysadmin, i would add :
+
+-> not full of security holes
+--> have a good history
+
+-> good reactivity of developers
+--> proper bug tracker ( ie, not a forum )
+--> good history , seen by looking at BTS
+
+-> do not have excessive requirements
+--> do not use too exotic database system like voldemort or hbase
+--> do not requires too exotic language ( erlang, fortran )
+--> do not requires a very specific version of component
+--> do not requires too much unpackaged stuff
+--> portable across databases ( ie, if someday, mysql is killed, we
+could change to a clone or to pgsql )
+
+
+-> not a ressources hog ( like use a db instead of flat file )
+--> able to manage a lot of users, and lots of post
+--> set indexes on the db (a proof that developers thought of it )
+--> scalable ( can it be shard, or clusterised ? )
+
+-> do not produce horrible html
+--> if possible, produce html compliant pages and css
+
+-> could work without javascript, even if this requires to disable more
+advanced features ( some people disable it for various reasons like
+security, etc ).
+
+-> do not requires flash to work
+
+With my jabberfr member hat on :
+
+-> good xmpp integration
+--> take care of xmpp link
+--> offer jabber in vcard
+--> can send message on jabber instead of mail
+
+/me remove the hat
+
+as a user :
+-> a effective antispam
+--> if possible, no captcha, or at least, one that do not weed me out
+
+-> something that do not mark a thread as read if I simply visit the
+forum
+-> a link "last posts" for the whole forum
+-> a link "last posts" for just a forum
+-> having more information when I receive a mail when someone answered. 
+   Ie more like "foo has responded this" more than "someone said  
+   something, click here to see" 
+
+-> efficient search engine
+--> do not forbid 3 letters search ( because acronyms are everywhere )
+
+-> easy to manage from command line, so we can script various thing
+( like removal of inactive account, etc, etc )
+
+-> integrated with sso. this one can be quite tricky to realize, as
+romain will tell you.
+
+I assume that others users will have others requirements ( like custom
+smiley, rich text edition, ml integration, etc ). I remember of a thread
+about using forum like a ticket system. Ie, how could the support be
+improved by changing the process and the forum ?
+
+
+I also assume that some requirement are more important than others. Ie,
+there is MUST and there is MAY, like in RFC.
+
+So let's first gather requirements, then we will decide on what is
+really important or not. 
+
+-- 
+Michael Scherer
+
+