(2010-07-08, 01:09 AM)Darkmew Wrote: [ -> ] (2010-07-07, 09:18 PM)Ryan Gordon Wrote: [ -> ]I know you aren't a programmer/someone who has much experience in security but do you realize how much of a security vulnerability that is? That would be the LARGEST vulnerability MyBB would ever have. Giving authors arbitrary access to your server to upload arbitrary PHP code would probably even have CNN talking about us.
Sorry, I am not trying to be rude and I totally respect you as a person and in any other conversation we might have, but that idea is ridiculous.
you misunderstand what i am saying,
For instance as previously stated maybe 2.0 will have an auto update system. The fact that this is allowed is because MyBB is a trusted site
similarly i do not think that users are stupid enough to let just anyone upload files to there server automatically (and if they are then I doubt even CNN would wanna interview them)
Anyway the thing to realize is the word trusted authors from trusted sites.
If not at the very least a small message in the admincp that says Update to xxx available. I know its not automatic but keeps everyone happy.
You would
NEVER want a third party source to be able to upload any files to your server. Most dangerous thing when it comes to keeping your site up.
(2010-07-08, 01:27 AM)Ryan Gordon Wrote: [ -> ]I didn't misunderstand anything you were saying. There is not such thing as trusted authors from trusted sites in a world of good security.
People break or mess up all the time.
Even if the person wasn't the problem, the trusted "source" could become compromised. Having one single manageable, secure, trusted point is the best security you can get. Once you add these other sites you exponentially grow your failure rate from any view point.
If WordPress allowed auto updates from the outside there is no way in hell I would run WordPress for any of my blogs or sites.
There's no point in discussing letting 3rd parties right into your filesystem and server anymore because you're not going to win. Any security analyst would tell you the same.
having understood that i retract my previous statement
I'm assuming you've never wget'd from a 3rd party server then? I do it all the time. Hasn't bit my bottom yet.
(2010-07-08, 02:29 AM)Mark.M Wrote: [ -> ]I'm assuming you've never wget'd from a 3rd party server then? I do it all the time. Hasn't bit my bottom yet.
You fail to understand the problem still.
The issue is not knowingly simply downloading specific url's. As an end user, I have no way of knowing where my updates are coming from if you allow them to be outsourced. And not only that we are not just simply downloading content (which is what wget does) we are immediately replacing PHP files in your file system with newer ones which is execution. If any of them happens to be compromised in any way then it may be logging your passwords and information without you ever knowing it.
And not only simply that: The MyBB ACP
is NOT your shell terminal. There is a huge difference between people who use terminals and know the risks and the responsibilities of using one versus the average joe Administrator whom is just looking to run a forum with some plugins that he wants and keeping them up-to-date.
These aren't difficult concepts to understand if you just think about them and the effects of what is being proposed would be had.
I've just been confused a little about the whole issue, i'd like both sides to be happy, but i've come to this conclusion:
Why does an author's plugin site requires traffic ?
It's just plain selfish and doesn't really benefit, if these new restrictions are a huge downfall for your site, you're just doing something wrong.
Even with these new restrictions i'm still proudly visiting mybbsource because they just offer quality.
Also, i KNOW their support is better even when a topic here is made, so their site is just good enough to keep me coming.
Secondly, all you authors are being selfish, and none of you have hardly thought about the 2.0 update features.
Think about the ubuntu community, sure they'll let people who created stuff over at ubuntuforums.com add it to "THEIR" repository, but i hardly doubt the ubuntu community will ever let any 3th party make core changes.
Same goes for the wordpress comment, if they'd let 3th party update core systems, i wouldn't be using Ubuntu nor Wordpress.
Think a little more about the consequences of your actions and the future of mybb, not your plugin, and not just at here, now and yourself.
Get rid of plugin section, make an independent site/forum and give someone the ability to monitor it. Mods and developers get corrupted easily and this is the better option for all. Developers should focus on developing and not on the plugins and whining about them. If you don't want to execute that idea, then allow lite versions of payed plugins. That way everyone is satisfied.
(2010-07-08, 11:59 AM)laeresh Wrote: [ -> ]It's just plain selfish and doesn't really benefit, if these new restrictions are a huge downfall for your site, you're just doing something wrong.
doesn't it make sense to you that most of the traffic to a mybb plugin site would come from the official mybb support forums....
(2010-07-08, 11:59 AM)laeresh Wrote: [ -> ]Even with these new restrictions i'm still proudly visiting mybbsource because they just offer quality.
as I said earlier, these new rules don't affect sites that are already popular.
laeresh Wrote:Secondly, all you authors are being selfish, and none of you have hardly thought about the 2.0 update features.
so all of us have? I think you should think about your English before you post. Me and Mark.M had a long talk about this over msn.
laeresh Wrote:Think about the ubuntu community, sure they'll let people who created stuff over at ubuntuforums.com add it to "THEIR" repository, but i hardly doubt the ubuntu community will ever let any 3th party make core changes.
Same goes for the wordpress comment, if they'd let 3th party update core systems, i wouldn't be using Ubuntu nor Wordpress.
yes some things in the repo do edit core files....
laeresh Wrote:Think a little more about the consequences of your actions and the future of mybb, not your plugin, and not just at here, now and yourself.
I am. Plugins are one of the big appeals for many users. They add the features users want without having to edit core files manually, or include it in the base release.... You should think more about you actions and words than you think.
(2010-07-08, 01:27 PM)Murloc Wrote: [ -> ]Get rid of plugin section, make an independent site/forum and give someone the ability to monitor it. Mods and developers get corrupted easily and this is the better option for all. Developers should focus on developing and not on the plugins and whining about them. If you don't want to execute that idea, then allow lite versions of payed plugins. That way everyone is satisfied.
It was like that for awhile but the only people who were running it were MyBB still. MyBB isn't going to put this in the hands of anyone other than the staff because security especially with automatically updating plugins in 2.0.
(2010-07-08, 01:27 PM)Murloc Wrote: [ -> ]Get rid of plugin section, make an independent site/forum and give someone the ability to monitor it. Mods and developers get corrupted easily and this is the better option for all. Developers should focus on developing and not on the plugins and whining about them. If you don't want to execute that idea, then allow lite versions of payed plugins. That way everyone is satisfied.
+1
Best idea i've heard in a while. and @ Alex. make sure its an non-staff, to avoid conflict of interest.
(2010-07-08, 04:18 PM)Mark.M Wrote: [ -> ] (2010-07-08, 01:27 PM)Murloc Wrote: [ -> ]Get rid of plugin section, make an independent site/forum and give someone the ability to monitor it. Mods and developers get corrupted easily and this is the better option for all. Developers should focus on developing and not on the plugins and whining about them. If you don't want to execute that idea, then allow lite versions of payed plugins. That way everyone is satisfied.
+1
Best idea i've heard in a while. and @ Alex. make sure its an non-staff, to avoid conflict of interest.
There isn't a conflict of interest already. There seems to be some imaginative stories that have popped up that make it sound like there is an automatic conflict of interest if you become MyBB staff.
You only make it a conflict of interest if you think there's a conflict of interest. Which there's not.
(2010-07-08, 01:42 PM)Tommyk Wrote: [ -> ] (2010-07-08, 11:59 AM)laeresh Wrote: [ -> ]It's just plain selfish and doesn't really benefit, if these new restrictions are a huge downfall for your site, you're just doing something wrong.
doesn't it make sense to you that most of the traffic to a mybb plugin site would come from the official mybb support forums....
Not if that forum wasn't supposed to exist in the first place?
(2010-07-08, 01:42 PM)Tommyk Wrote: [ -> ] (2010-07-08, 11:59 AM)laeresh Wrote: [ -> ]Even with these new restrictions i'm still proudly visiting mybbsource because they just offer quality.
as I said earlier, these new rules don't affect sites that are already popular.
And what makes you think that? Sites that already exist will definitely be affected. Maybe you don't see it right now, but they will be affected.
I can guarantee that the reason we have sites like MyBB Central is because they don't have the ability to do the same things on the MyBB site yet. You're site is because you don't want to participate in
this community.