RE: phpBB Alternative

I'm looking at Vanilla too, now. I did the install
yesterday. I haven't
reached a final conclusion about it, yet. It seems a bit
more straight
forward than phpBB, but the permissioning system isn't as
intuative as I
might like. I hope once I figure it out, though, everything
else is
cake.

On the security issue, phpBB definitely has a _history_ of
security
problems. Part of the problem, of course, it that it's so
widely used,
that a phpBB installation is a honeypot for hackbots. It
might help if
the public interface didn't say "phpBB" on the
frontpage by default.
Technically, I'm unclear as to whether I'm allowed to remove
the
copyright statement from the software under GPL. I really
don't like
advertising what software I'm using, though I'm not under
the illusion
that obscurity == security. 

Anyhow, the directory structure of phpBB is such that
directories that
should be private are placed in the document path. These
days, I would
never build a Web application that way. I'd put the
installation in a
completely different directory and use symbolic links in the
document
path to point to the public directory. I realize that
probably adds a
level of complexity to the installation process that some
users might
not be comfortable with, but it's a better design pattern.

- David


---
David Cloutman <dcloutmanco.marin.ca.us>
Electronic Services Librarian
Marin County Free Library 

-----Original Message-----
From: web4lib-bounceswebjunction.org
[mailto:web4lib-bounceswebjunction.org] On Behalf Of Andrew
Stevens
Sent: Friday, April 11, 2008 10:08 AM
To: web4libwebjunction.org
Subject: Re: [Web4lib] phpBB Alternative



I looked at Vanilla as well and generally like what I saw. 
Another 
thing that vanilla has over most other forum packages is
that it has 
relatively few reported security vulnerabilities, while
phpbb, according

to Ed Finkler's research (see link below), is one of the
most insecure.

Ed Finkler
funkatron.com :The PHP App Insecurity Top 20
<http://funkatron.com/index.php/site/the_ph
p_app_insecurity_top_20/>

Chris Barr wrote:
> Vanilla has a nice simple interface:
> 
> http://getvanilla.com/
> 
> --chris barr
> 
> Cloutman, David wrote:
>> Hi Everyone,
>>
>> I have a need to set up a forum for my Library's
summer reading. We
are
>> hosting it internally on our Library's application
server. I have
>> installed phpBB, which seems to be the most popular
tool for this. My
>> problem is that I don't think phpBB is all that
great. The more I use
>> it, the more I hate it. I find the interface
confusing, and I think
our
>> users may have problems with it as well. I'm
particularly concerned
>> about the Librarians who will have to moderate the
posts. I don't
want
>> to have to do a formal training session on what
really needs to be a
>> quick and dirty solution.
>>
>> I am looking for a forum tool that:
>>
>> 1. Runs on PHP / MySQL OR JSP / MySQL / Tomcat and
is easy to
install.
>> 2. Has a really simple interface.
>> 3. Has a obvious mechanism for changing the
branding of the masthead.
>> 4. Has enough granularity in the security sytem to
allow for
registered
>> users / moderators / administrators.
>> 5. Permits the administrator to require approval of
posts.
>> 6. Has a really simple interface. (Yes, I said that
twice.)
>>
>> Any recommendations or library success stories
would be much
>> appreciated.
>>


_______________________________________________
Web4lib mailing list
Web4libwebjunction.org
http://lists.we
bjunction.org/web4lib/


Email Disclaimer: http://www.co.marin.ca.us/nav/misc/EmailDisclaimer.cfm




_______________________________________________
Web4lib mailing list
Web4libwebjunction.org
http://lists.we
bjunction.org/web4lib/

This thread covers the issue and athakur999 response jibes
with my 
understanding of the GPL.

http://w
ww.phpbb.com/community/viewtopic.php?p=2828800&sid=40c92
1132e49f3318cf1feb5f253e704#p2828800

You can modify GPL software to your heart's content, but you
can't 
redistribute the modified version under a license other than
GPL.  In 
short, you could strip out the "powered by" text,

Cloutman, David wrote:
> I'm looking at Vanilla too, now. I did the install
yesterday. I haven't
> reached a final conclusion about it, yet. It seems a
bit more straight
> forward than phpBB, but the permissioning system isn't
as intuative as I
> might like. I hope once I figure it out, though,
everything else is
> cake.
> 
> On the security issue, phpBB definitely has a _history_
of security
> problems. Part of the problem, of course, it that it's
so widely used,
> that a phpBB installation is a honeypot for hackbots.
It might help if
> the public interface didn't say "phpBB" on
the frontpage by default.
> Technically, I'm unclear as to whether I'm allowed to
remove the
> copyright statement from the software under GPL. I
really don't like
> advertising what software I'm using, though I'm not
under the illusion
> that obscurity == security. 
> 
> Anyhow, the directory structure of phpBB is such that
directories that
> should be private are placed in the document path.
These days, I would
> never build a Web application that way. I'd put the
installation in a
> completely different directory and use symbolic links
in the document
> path to point to the public directory. I realize that
probably adds a
> level of complexity to the installation process that
some users might
> not be comfortable with, but it's a better design
pattern.
> 
> - David
> 
> 
> ---
> David Cloutman <dcloutmanco.marin.ca.us>
> Electronic Services Librarian
> Marin County Free Library 
> 
> -----Original Message-----
> From: web4lib-bounceswebjunction.org
> [mailto:web4lib-bounceswebjunction.org] On Behalf
Of Andrew Stevens
> Sent: Friday, April 11, 2008 10:08 AM
> To: web4libwebjunction.org
> Subject: Re: [Web4lib] phpBB Alternative
> 
> 
> 
> I looked at Vanilla as well and generally like what I
saw.  Another 
> thing that vanilla has over most other forum packages
is that it has 
> relatively few reported security vulnerabilities, while
phpbb, according
> 
> to Ed Finkler's research (see link below), is one of
the most insecure.
> 
> Ed Finkler
> funkatron.com :The PHP App Insecurity Top 20
> <http://funkatron.com/index.php/site/the_ph
p_app_insecurity_top_20/>
> 
> Chris Barr wrote:
>> Vanilla has a nice simple interface:
>>
>> http://getvanilla.com/
>>
>> --chris barr
>>
>> Cloutman, David wrote:
>>> Hi Everyone,
>>>
>>> I have a need to set up a forum for my
Library's summer reading. We
> are
>>> hosting it internally on our Library's
application server. I have
>>> installed phpBB, which seems to be the most
popular tool for this. My
>>> problem is that I don't think phpBB is all that
great. The more I use
>>> it, the more I hate it. I find the interface
confusing, and I think
> our
>>> users may have problems with it as well. I'm
particularly concerned
>>> about the Librarians who will have to moderate
the posts. I don't
> want
>>> to have to do a formal training session on what
really needs to be a
>>> quick and dirty solution.
>>>
>>> I am looking for a forum tool that:
>>>
>>> 1. Runs on PHP / MySQL OR JSP / MySQL / Tomcat
and is easy to
> install.
>>> 2. Has a really simple interface.
>>> 3. Has a obvious mechanism for changing the
branding of the masthead.
>>> 4. Has enough granularity in the security sytem
to allow for
> registered
>>> users / moderators / administrators.
>>> 5. Permits the administrator to require
approval of posts.
>>> 6. Has a really simple interface. (Yes, I said
that twice.)
>>>
>>> Any recommendations or library success stories
would be much
>>> appreciated.
>>>
> 


_______________________________________________
Web4lib mailing list
Web4libwebjunction.org
http://lists.we
bjunction.org/web4lib/