Le 27/09/2010 10:02, Romain d'Alverny a écrit : 
Hi,

On Mon, Sep 27, 2010 at 08:19, Tux99 <tux99-mga@uridium.org> wrote:
  
I did a quick comparison of the most common forum software packages
(both commercial and FOSS) from a vulnerability point of view.

I'm subscribed to the well known (every sysadmin that takes his/her job
seriously is subscribed to it) weekly SANS "@RISK: The Consensus
Security Alert" newsletter since 2000, so I have an mbox archive file
that contains almost 11 years worth of weekly alerts of software
vulnerabilities.

A quick an easy way that I have used before to assess the vulnerability
of any software is to do a simple grep of the software name in this mbox
file and count the times that software gets mentioned. While this is not
100% scientific it gives a good approximation of the amount of
vulnerabilities a particular software has suffered from.
    
Indeed. It's interesting. But ranking only by the disclosed number of
vulnerabilities in the past does not assess what will be in the
future. It's not enough.

What would be an additional important figure is, how long has it been
for each vulnerability to be fixed; how many users each has had, etc.

Plus, what type of vulnerability. Plus, for what branch of the
software (I guess, for instance, phpBB 2.x and 3.x are a bit
different).
Hi,

phpbb2 and phpbb3 share very few lines of code afaik

And statistics are enough to explain :

phpBB2: 38 advisories (27 vuln) 0% unpatched
http://secunia.com/advisories/product/463/

9% highly critical, 34% moderate, 49% low, 9% not

phpBB2 is/was a well known security nightmare :o)

----

fudForum: 2 advisories (2 vuln) 0% unpatched
http://secunia.com/advisories/product/5530/

50% highly critical, 50% moderate

The critical one allowing system access :o)

----

phpBB3: 4 advisories (5 vuln) 0% unpatched
http://secunia.com/advisories/product/17998/

0% highly critical, 25 % moderate, 75% low

----

I crearly consider phpBB3 not less secure than fudForum can be :)


What we do need is a forum that matches our needs; actually pretty
basic, but maybe for having good admin features, excellent
hackability, extensability, being well documented, having a nice
community of developers around it. And, provided we're in the free
software thing, we want to be able to share changes as well (would it
be only through our own community) without worrying.

So, requirement #1: open source license (as in http://opensource.org/ ).

[...]

Romain
when it comes to forum engine choice there are many things important to consider (in particular if we are optimistic enough to consider it could grow with Mageia future success).

Security is one of them.

If the forum is supposed to grow we must have something properly working under rather high load... than can involve a separate server for database (or even something stronger) that can also involve a forum engine that proved it's ability to survive high loads (and the biggest in http://www.big-boards.com runs phpBB3).

Very *very* important if we want to be able to deal with trolls and forum users experience : we must have moderation needs being well addressed (global topic management with topics splitting and merging, easy messages management (editing, suppressing, moving... hiding ?), easy user management including things like temporary moderation of messages to calm down trolls and other useful thing like detection of multiple accounts creation, temporary or definitive banishment, ability to give extended rights to "special" people (dev, bug squad, doc writers, technical support...)

If we want to provide a good user experience we must have something that provide a templating system easy to understand and to play with.

Then there are administration features (bot management, forum structure, fine grained access control and tuning)

And obviously hackability is important to allow things like SSO and other cool things (perhaps nice RSS features ? Mailing Lists connection ? Button available to Technical support team and moderators allowing to send an alert on Cauldron list if a post can be interresting for devs ? Bugzilla connection ?)

Something very secure that cannot do the job or that will make moderators life a hell and user experience a pain is not the ideal forum engine imho

All this parameters (and others less important) need to be taken in account and the first people whom i would listen to are future administrators and moderators... because they will suffer with it every day... and beacause the quality of their work and attitude toward forum users will be the first thing likely to attract people and give a good reputation to Mageia community :)

my2cents

Maât