MyBB Community Forums

Full Version: MyBB 1.9 Development
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi,

I just want to chime in here.

I understand where you are all coming from. A lot of you have invested considerable time, energy and money into your sites and the MyBB platform and are understandably concerned about the direction of the project as a whole. I know that we haven't done a great job in managing expectations or keeping you all updated with what's going on. I wish we could have done more to keep everyone up to date.

I want to address some points head on first:
  • MyBB should become paid software

    MyBB prides itself upon being free and Open Source. I don't see this changing any time soon.

    MyBB isn't current registered as a company or a non-profit or incorporated in any way whatsoever - it is a loose collection of individuals contributing their time and effort towards a common goal for no reward. If MyBB were to register as a company or non-profit (and there would certainly be advantages to doing so as I see it), it would require the project owner (Chris) to do so and in the past he has been reluctant to do so.

  • MyBB should hire paid developers to work on the project

    We've tried bringing in developers from outside the community before, and it's never ended well. Most may contribute a couple of times, then usually drop out. Some don't contribute at all.

    The way I see it, the people best placed to contribute to the project are those who actively use the software - they know how it works, and they know which bits of it needs improving.

    As such, one approach that we're considering approaching is the idea of bug bounties. There are several platforms that already exist to work with Bug Bounties, such as Bountysource.

    The way this would work, is community members (including team members) would post monetary bounties on existing GitHub issues for the project. Developers could then tackle these issues, and claim the bounty after the contribution is merged into the core. This offers a financial incentive for contributing, and lets users "put their money where their mouth is" as it were.

    Should this be considered a good idea, the next step for us would be to decide a common platform - ideally, all bounties would go through a single platform rather than being spread across multiple different platforms. We would need community input here for definite.

  • If the new theme is done and the new template system is done, what are we waiting on?

    The codebase for 1.9 is currently sitting at the same level in terms of bug fixes as 1.8.17. All bugs and security issues that have been patched since then are not patched in the 1.9 codebase yet. This is because we failed to keep the two trees in sync as we worked on the templates. When we talk about rebasing, we're talking about bringing the two branches in sync.

  • I'm worried that after 1.9 is released, 1.8 will be abandoned

    We've made a public commitment that after 1.9 is released, 1.8 will be supported for at least a year. This support will include back ported bug fixes and security patches.

  • A new responsive theme is the TOP priority, we don't need a new template system

    A new responsive theme is indeed the top priority. However, creating one required rewriting all of the templates anyway. Whilst doing so, we wanted to improve the templating system as much as we can. We chose to use Twig as an off the shelf product for multiple reasons:
    • Built in filtering and escaping to prevent XSS vulnerabilities, which have been the most common types of vulnerabilities in the 1.8 series
    • Built in support for conditionals and loops, replacing the need for plugins like Template Conditionals and PHP In Templates
    • Built in support for loading templates from disk rather than from the database - we've had many theme developers request the ability to be able to edit templates from their own text editors that thy are already comfortable with that support features like syntax highlighting, find and replace, columns select, etc.
  • MyBB 1.8 works great, why do we need an updated 1.9?

    Yes, MyBB 1.8 works fine as it is, but there are plenty of problems. Here are just a few off the top of my head:
    • Repeated reports of XSS issues, stemming from a lack of escaping of outputs - moving to Twig will all but eliminate this problem
    • Weak password hashing - the built in password hashing scheme in 1.8 of md5(md5(salt) + md5(password)) is trivially weak, especially in the modern era of GPU based cracking
    • No responsive theme (obviously)
    • Lack of support for modern systems and tools - one example I'm often asked about is the ability to use Redis as the cache system. 1.8 doesn't support Redis at all, but it does support eAccelerator - a project that is deprecated and hasn't been supported since PHP 5.3... We need to make sure we support modern tools and technologies, and drop support for old and abandoned tools and technology when they reach end of life
  • MyBB makes decisions behind the scenes and doesn't involve the community

    Some decisions still happen behind the scenes, mostly related to moderation issues and server administration.

    Any decisions on future direction, code, issues, etc. happen fully in the open. They are split across several locations though:
    • GitHub - watch for new issues - and not just on the main mybb/mybb repository. We have a lot of repositories, including a public repository for blog post drafts that barely anybody from outside the team ever contributes to.
    • The forums - threads such as this, the new pre-release threads for new versions, my original post suggesting 1.9 as the future direction, etc.
    • Discord - I know many hate it, but it's a very useful tool for short form discussions. If people ping me on there, I get a near instant notification to my smartphone/tablet and (assuming I'm awake) I try to respond within minutes when possible.

    I'm sure we could be more open, and that's something we're trying to improve as much as possible. If anybody sees something mentioned or happening that they believe has come out of nowhere as a behind the scenes decision, please call us out on it and we'll do what we can to make it more open.

I also just want to mention some of the other tasks that happen that may not be front and centre for most people from my perspective (these are all tasks I perform - I can't talk for other team members). Some people may look and believe the team aren't doing anything, when we're actually busy.
  • Answering emails to [email protected] - these emails include support requests, general questions, requests for us to remove content from sites using MyBB or to remove sites entirely using MyBB. We also get emails requesting password changes. We usually get a couple of these every day and only 3 or 4 staff members receive the emails. I try to respond to these as quickly as possible.
  • Answering questions and discussions on IRC - I always idle on the #mybb channel on free node (and am one of the few staff that does). I get a notification for every message sent to it, and try my best to respond to any questions/issues.
  • Answering threads in Private Inquiries - these include username changes, community grievances, requests to remove content an account, etc. Only a few users have ACP privileges to handle some of these requests, myself included.
  • Sever administration when something goes wrong - as happened just the other day - the whole community forum was down until I woke up and fixed the server.

If anybody has any other specific concerns or questions that they feel I haven't answered or haven't answered sufficiently, please post them here or PM me. Any PMs will be posted here for a public response though, I must warn.

I want to be as open and public as possible. I too have invested a lot of time into this project. I might not have contributed as much financially a some others have, but I would be incredibly sad to see the project disappear.
(2020-04-01, 08:12 PM)Euan T Wrote: [ -> ]Hi,

I just want to chime in here.

I understand where you are all coming from. A lot of you have invested considerable time, energy and money into your sites and the MyBB platform and are understandably concerned about the direction of the project as a whole. I know that we haven't done a great job in managing expectations or keeping you all updated with what's going on. I wish we could have done more to keep everyone up to date.

I want to address some points head on first:
  • MyBB should become paid software

    MyBB prides itself upon being free and Open Source. I don't see this changing any time soon.

    MyBB isn't current registered as a company or a non-profit or incorporated in any way whatsoever - it is a loose collection of individuals contributing their time and effort towards a common goal for no reward. If MyBB were to register as a company or non-profit (and there would certainly be advantages to doing so as I see it), it would require the project owner (Chris) to do so and in the past he has been reluctant to do so.
  • MyBB should hire paid developers to work on the project

    We've tried bringing in developers from outside the community before, and it's never ended well. Most may contribute a couple of times, then usually drop out. Some don't contribute at all.

    The way I see it, the people best placed to contribute to the project are those who actively use the software - they know how it works, and they know which bits of it needs improving.

    As such, one approach that we're considering approaching is the idea of bug bounties. There are several platforms that already exist to work with Bug Bounties, such as Bountysource.

    The way this would work, is community members (including team members) would post monetary bounties on existing GitHub issues for the project. Developers could then tackle these issues, and claim the bounty after the contribution is merged into the core. This offers a financial incentive for contributing, and lets users "put their money where their mouth is" as it were.

    Should this be considered a good idea, the next step for us would be to decide a common platform - ideally, all bounties would go through a single platform rather than being spread across multiple different platforms. We would need community input here for definite.
  • If the new theme is done and the new template system is done, what are we waiting on?

    The codebase for 1.9 is currently sitting at the same level in terms of bug fixes as 1.8.17. All bugs and security issues that have been patched since then are not patched in the 1.9 codebase yet. This is because we failed to keep the two trees in sync as we worked on the templates. When we talk about rebasing, we're talking about bringing the two branches in sync.
  • I'm worried that after 1.9 is released, 1.8 will be abandoned

    We've made a public commitment that after 1.9 is released, 1.8 will be supported for at least a year. This support will include back ported bug fixes and security patches.
  • A new responsive theme is the TOP priority, we don't need a new template system

    A new responsive theme is indeed the top priority. However, creating one required rewriting all of the templates anyway. Whilst doing so, we wanted to improve the templating system as much as we can. We chose to use Twig as an off the shelf product for multiple reasons:
    • Built in filtering and escaping to prevent XSS vulnerabilities, which have been the most common types of vulnerabilities in the 1.8 series
    • Built in support for conditionals and loops, replacing the need for plugins like Template Conditionals and PHP In Templates
    • Built in support for loading templates from disk rather than from the database - we've had many theme developers request the ability to be able to edit templates from their own text editors that thy are already comfortable with that support features like syntax highlighting, find and replace, columns select, etc.
  • MyBB 1.8 works great, why do we need an updated 1.9?

    Yes, MyBB 1.8 works fine as it is, but there are plenty of problems. Here are just a few off the top of my head:
    • Repeated reports of XSS issues, stemming from a lack of escaping of outputs - moving to Twig will all but eliminate this problem
    • Weak password hashing - the built in password hashing scheme in 1.8 of md5(md5(salt) + md5(password)) is trivially weak, especially in the modern era of GPU based cracking
    • No responsive theme (obviously)
    • Lack of support for modern systems and tools - one example I'm often asked about is the ability to use Redis as the cache system. 1.8 doesn't support Redis at all, but it does support eAccelerator - a project that is deprecated and hasn't been supported since PHP 5.3... We need to make sure we support modern tools and technologies, and drop support for old and abandoned tools and technology when they reach end of life
  • MyBB makes decisions behind the scenes and doesn't involve the community

    Some decisions still happen behind the scenes, mostly related to moderation issues and server administration.

    Any decisions on future direction, code, issues, etc. happen fully in the open. They are split across several locations though:
    • GitHub - watch for new issues - and not just on the main mybb/mybb repository. We have a lot of repositories, including a public repository for blog post drafts that barely anybody from outside the team ever contributes to.
    • The forums - threads such as this, the new pre-release threads for new versions, my original post suggesting 1.9 as the future direction, etc.
    • Discord - I know many hate it, but it's a very useful tool for short form discussions. If people ping me on there, I get a near instant notification to my smartphone/tablet and (assuming I'm awake) I try to respond within minutes when possible.
  • I'm sure we could be more open, and that's something we're trying to improve as much as possible. If anybody sees something mentioned or happening that they believe has come out of nowhere as a behind the scenes decision, please call us out on it and we'll do what we can to make it more open.

I also just want to mention some of the other tasks that happen that may not be front and centre for most people from my perspective (these are all tasks I perform - I can't talk for other team members). Some people may look and believe the team aren't doing anything, when we're actually busy.
  • Answering emails to [email protected] - these emails include support requests, general questions, requests for us to remove content from sites using MyBB or to remove sites entirely using MyBB. We also get emails requesting password changes. We usually get a couple of these every day and only 3 or 4 staff members receive the emails. I try to respond to these as quickly as possible.
  • Answering threads in Private Inquiries - these include username changes, community grievances, requests to remove content an account, etc. Only a few users have ACP privileges to handle some of these requests, myself included.
  • Sever administration when something goes wrong - as happened just the other day - the whole community forum was down until I woke up and fixed the server.

If anybody has any other specific concerns or questions that they feel I haven't answered or haven't answered sufficiently, please post them here or PM me. Any PMs will be posted here for a public response though, I must warn.

I want to be as open and public as possible. I too have invested a lot of time into this project. I might not have contributed as much financially a some others have, but I would be incredibly sad to see the project disappear.

Thank you for the clarification points.
In my previous reply, I announced my support for $ 27 to contribute to a responsive template design for a release 1.8
I will be the official template for the release 1.8
This suggestion was made by the member (meetdilip)
You aren’t getting a responsive theme in 1.8.
Thank you @Euan T. Much appreciate everything you do and for the update.
I've tried rebasing myself in the past. It's a nightmare, especially at present stages in which there are more than 300 commits to rebase onto. Since 1.9 will diverge from 1.8 eventually, my proposal to speed it up is to apply the main commits onto 1.9 (let's say, security and the biggest features, if any: the list would be reduced significantly), letting most of the others slip: they are related to styling anyway for the most part, which will be far easier to deal with by using Twig.
(2020-04-01, 09:19 PM)Shade Wrote: [ -> ]I've tried rebasing myself in the past. It's a nightmare, especially at present stages in which there are more than 300 commits to rebase onto. Since 1.9 will diverge from 1.8 eventually, my proposal to speed it up is to apply the main commits onto 1.9 (let's say, security and the biggest features, if any: the list would be reduced significantly), letting most of the others slip: they are related to styling anyway for the most part, which will be far easier to deal with by using Twig.

I agree with this! Not a developer here, but it sounds like a very good idea. We can re-create the issues for a lot of minor commits perhaps after the fact, and add them on a one-by-one basis? The community in general (myself included) would be extremely happy to help out with this and to start doing pull requests for these issues once 1.9 is rebased. I myself will have a lot of free time in the coming months due to the Coronavirus situation (and also due to university graduation). Smile
(2020-04-01, 09:19 PM)Shade Wrote: [ -> ]I've tried rebasing myself in the past. It's a nightmare, especially at present stages in which there are more than 300 commits to rebase onto. Since 1.9 will diverge from 1.8 eventually, my proposal to speed it up is to apply the main commits onto 1.9 (let's say, security and the biggest features, if any: the list would be reduced significantly), letting most of the others slip: they are related to styling anyway for the most part, which will be far easier to deal with by using Twig.
I recently pushed a commit that reverts code style changes made in the move to Twig, a they were the biggest cause for headaches while rebasing. I'm hoping hat's going to make life easier.

My original approach was to rebase version by version in a series of steps, but when I actually tried that in practice, it turned out to take just as much (if not more) effort as I had to check the history not just from now, but from the target release.

I'm hoping with the code style changed back, I'll have a better chance of getting it to go smoothly.


We're also looking at using GitHub actions to automatically merge PRs into both feature and develop/1.9 in the future. We're not entirely clear on whether the MyBB organisation has access to GitHub actions though, as we're currently on a legacy paid plan rather than one of the current plans and some of the new features are blocked for legacy plans. Unfortunately the only person who can fix that is Chris and fixing it may increase the monthly cost significantly.

There are still a few things that rely entirely on Chris, including DNS management and anything that costs the project money. A lot of other things can be done by myself or another administrator (currently Devilshakerz), but that means that I both manage administration tasks as well as development as much as possible.
Another point:

After the rebase, I noticed that there are still some places using the old $templates->... code. We'll need to remove all of these and validate that what they were doing has been implemented in Twig. We'll also want to remove the old templates class (or at least deprecate it). I've not noted them down yet as I only noticed in passing during rebasing.

Another fairly easy contribution would be to add further unit test. We already have a couple of simple ones implemented, but the more automatic tests that we can add to the project, the better. They should hopefully help us catch more obvious bugs that might otherwise slip through the cracks. We're trying automate as much as possible.
Euan: Testing/bug fixes are somewhat my strength as a developer. Once you guys are ready to the point that it is helpful for commits (after the rebase is finished), I'll start installing the github code and will begin looking for these sorts of things as much as possible. I've already done so more than once as a matter of fact, but I haven't submitted any PRs for any bug fixes as I wasn't sure if it would really be helpful yet during the rebase.

I'm more than happy to help in any way that I can! Smile
(2020-04-01, 10:03 PM)Darth Apple Wrote: [ -> ]Euan: Testing/bug fixes are somewhat my strength as a developer. Once you guys are ready to the point that it is helpful for commits (after the rebase is finished), I'll start installing the github code and will begin looking for these sorts of things as much as possible. I've already done so more than once as a matter of fact, but I haven't submitted any PRs for any bug fixes as I wasn't sure if it would really be helpful yet during the rebase.

I'm more than happy to help in any way that I can!  Smile

Awesome, that would be a big help. I'll create a thread after the rebase is done that lays out some of the things that need tested, how Unit Tests are organised, how to run the unit tests, etc.