From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- .../20100927/e7007c74/attachment-0001.html | 151 +++++++++++++++++++++ .../attachments/20100927/e7007c74/attachment.html | 151 +++++++++++++++++++++ 2 files changed, 302 insertions(+) create mode 100644 zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html create mode 100644 zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment.html (limited to 'zarb-ml/mageia-dev/attachments/20100927/e7007c74') diff --git a/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html b/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html new file mode 100644 index 000000000..2c5544412 --- /dev/null +++ b/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment-0001.html @@ -0,0 +1,151 @@ + + + + + + +Le 27/09/2010 10:02, Romain d'Alverny a écrit : +

Hi,
+
+On Mon, Sep 27, 2010 at 08:19, Tux99 <tux99-mga@uridium.org> wrote:
+

+I did a quick comparison of the most common forum software packages
+(both commercial and FOSS) from a vulnerability point of view.
+
+I'm subscribed to the well known (every sysadmin that takes his/her job
+seriously is subscribed to it) weekly SANS "@RISK: The Consensus
+Security Alert" newsletter since 2000, so I have an mbox archive file
+that contains almost 11 years worth of weekly alerts of software
+vulnerabilities.
+
+A quick an easy way that I have used before to assess the vulnerability
+of any software is to do a simple grep of the software name in this mbox
+file and count the times that software gets mentioned. While this is not
+100% scientific it gives a good approximation of the amount of
+vulnerabilities a particular software has suffered from.
+

+Indeed. It's interesting. But ranking only by the disclosed number of
+vulnerabilities in the past does not assess what will be in the
+future. It's not enough.
+
+What would be an additional important figure is, how long has it been
+for each vulnerability to be fixed; how many users each has had, etc.
+
+Plus, what type of vulnerability. Plus, for what branch of the
+software (I guess, for instance, phpBB 2.x and 3.x are a bit
+different).
+

+Hi,
+
+phpbb2 and phpbb3 share very few lines of code afaik
+
+And statistics are enough to explain :
+
+phpBB2: 38 advisories (27 vuln) 0% unpatched
+http://secunia.com/advisories/product/463/
+
+9% highly critical, 34% moderate, 49% low, 9% not
+
+phpBB2 is/was a well known security nightmare :o)
+
+----
+
+fudForum: 2 advisories (2 vuln) 0% unpatched
+http://secunia.com/advisories/product/5530/
+
+50% highly critical, 50% moderate
+
+The critical one allowing system access :o)
+
+----
+
+phpBB3: 4 advisories (5 vuln) 0% unpatched
+http://secunia.com/advisories/product/17998/
+
+0% highly critical, 25 % moderate, 75% low
+
+----
+
+I crearly consider phpBB3 not less secure than fudForum can be :)
+
+
+

What we do need is a forum that matches our needs; actually pretty
+basic, but maybe for having good admin features, excellent
+hackability, extensability, being well documented, having a nice
+community of developers around it. And, provided we're in the free
+software thing, we want to be able to share changes as well (would it
+be only through our own community) without worrying.
+
+So, requirement #1: open source license (as in http://opensource.org/ ).
+
+[...]
+
+Romain
+

+when it comes to forum engine choice there are many things important to +consider (in particular if we are optimistic enough to consider it +could grow with Mageia future success).
+
+Security is one of them.
+
+If the forum is supposed to grow we must have something properly +working under rather high load... than can involve a separate server +for database (or even something stronger) that can also involve a forum +engine that proved it's ability to survive high loads (and the biggest +in http://www.big-boards.com runs phpBB3).
+
+Very *very* important if we want to be able to deal with trolls and +forum users experience : we must have moderation needs being well +addressed (global topic management with topics splitting and merging, +easy messages management (editing, suppressing, moving... hiding ?), +easy user management including things like temporary moderation of +messages to calm down trolls and other useful thing like detection of +multiple accounts creation, temporary or definitive banishment, ability to give extended rights to "special" +people (dev, bug squad, doc writers, technical support...)
+
+If we want to provide a good user experience we must have something +that provide a templating system easy to understand and to play with.
+
+Then there are administration features (bot management, forum +structure, fine grained access control and tuning)
+
+And obviously hackability is important to allow things like SSO and +other cool things (perhaps nice RSS features ? Mailing Lists connection +? Button available to Technical support team and moderators allowing to +send an alert on Cauldron list if a post can be interresting for devs ? +Bugzilla connection ?)
+
+Something very secure that cannot do the job or that will make +moderators life a hell and user experience a pain is not the ideal +forum engine imho
+
+All this parameters (and others less important) need to be taken in +account and the first people whom i would listen to are future +administrators and moderators... because they will suffer with it every +day... and beacause the quality of their work and attitude toward forum +users will be the first thing likely to attract people and give a good +reputation to Mageia community :)
+
+my2cents
+
+Maât
+
+
+ + diff --git a/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment.html b/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment.html new file mode 100644 index 000000000..2c5544412 --- /dev/null +++ b/zarb-ml/mageia-dev/attachments/20100927/e7007c74/attachment.html @@ -0,0 +1,151 @@ + + + + + + +Le 27/09/2010 10:02, Romain d'Alverny a écrit : +

Hi,
+
+On Mon, Sep 27, 2010 at 08:19, Tux99 <tux99-mga@uridium.org> wrote:
+

+I did a quick comparison of the most common forum software packages
+(both commercial and FOSS) from a vulnerability point of view.
+
+I'm subscribed to the well known (every sysadmin that takes his/her job
+seriously is subscribed to it) weekly SANS "@RISK: The Consensus
+Security Alert" newsletter since 2000, so I have an mbox archive file
+that contains almost 11 years worth of weekly alerts of software
+vulnerabilities.
+
+A quick an easy way that I have used before to assess the vulnerability
+of any software is to do a simple grep of the software name in this mbox
+file and count the times that software gets mentioned. While this is not
+100% scientific it gives a good approximation of the amount of
+vulnerabilities a particular software has suffered from.
+

+Indeed. It's interesting. But ranking only by the disclosed number of
+vulnerabilities in the past does not assess what will be in the
+future. It's not enough.
+
+What would be an additional important figure is, how long has it been
+for each vulnerability to be fixed; how many users each has had, etc.
+
+Plus, what type of vulnerability. Plus, for what branch of the
+software (I guess, for instance, phpBB 2.x and 3.x are a bit
+different).
+

What we do need is a forum that matches our needs; actually pretty
+basic, but maybe for having good admin features, excellent
+hackability, extensability, being well documented, having a nice
+community of developers around it. And, provided we're in the free
+software thing, we want to be able to share changes as well (would it
+be only through our own community) without worrying.
+
+So, requirement #1: open source license (as in http://opensource.org/ ).
+
+[...]
+
+Romain
+