*

Offline Clyde Frog

  • *
  • Posts: 1045
  • [kʰlaɪ̯d fɹɒg]
    • View Profile
SMF software update
« on: April 26, 2022, 09:26:26 PM »
The forum software we're running has a couple updates waiting in the wings right now that I wanted to point out. The biggest update is they released SMF2.1 now as an official, production-ready release (current version is 2.1.1). That's been years in the making, and it seems like there are some nice improvements baked in. However, it's not nearly as easy to migrate to, even for admins running a vanilla SMF instance, so I imagine that will take some time to get ready for this site.

Probably more relevant is the fact that SMF also released version 2.0.19, which is just an incremental bump to the version of the software running here. Sort of. With the tweaks you guys have made over the years, I would imagine the patch might need a closer inspection to make sure it plays nice with your environment, but it does bring some compatibility and security improvements.

https://www.simplemachines.org/community/index.php?topic=579982.0

*

Offline xasop

  • Administrator
  • *****
  • Posts: 9776
  • Professional computer somebody
    • View Profile
Re: SMF software update
« Reply #1 on: April 26, 2022, 09:31:56 PM »
We intentionally didn't upgrade to 2.0.18 because it has some changes to UTF-8 handling, after we'd just spent days testing loads of edge cases and fixing our version to make sure it works well. We still have to replicate that testing on 2.0.18 (or 2.0.19) before we can accept SMF's changes (or apply the update without that particular change). I am unlikely to have much time to devote to that until June.

2.1 is a whole other kettle of fish. I don't know if we even want it at this point. We've fixed so many bugs in 2.0 in features that have been completely overhauled for 2.1 (such as PostgreSQL and IPv6 support) that it would likely continue to generate a lot of work for us for months after "upgrading".
when you try to mock anyone while also running the flat earth society. Lol

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16073
  • (◕˽ ◕ ✿)
    • View Profile
Re: SMF software update
« Reply #2 on: April 26, 2022, 10:09:50 PM »
For what it's worth, I've done some work reviewing the changes in both 2.0.18 and 2.0.19 (though admittedly mostly the former). It doesn't look like we're missing out on much. I am particularly grumpy with how SMF handles security patches. They just say "security improvements" without elaborating further, and in the past we've seen them introduce more bugs than they fixed, even in vanilla.

I might have some time for testing early next week, but I wouldn't want to make that a promise.

As for 2.1, I think it might actually be easier to backport any individual improvements that you think may be beneficial. I've made a couple of (very small) contributions to that project, and I've watched it closely. The code quality is not good, even by SMF's standards. It might simply not be worth it.
« Last Edit: April 26, 2022, 10:13:54 PM by Pete Svarrior »
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume

*

Offline Clyde Frog

  • *
  • Posts: 1045
  • [kʰlaɪ̯d fɹɒg]
    • View Profile
Re: SMF software update
« Reply #3 on: April 26, 2022, 10:17:55 PM »
The GDPR compliance is probably the most notable change in my book. The ability to download all your data and then permanently delete your account is part of that.

The other thing I liked about it is how they handle passwords, but I think you may have already implemented that here. I'd need to go back and reread the notes, but I think it was a move to bcrypt instead of SHA1 for hashing.
« Last Edit: April 26, 2022, 10:43:00 PM by Clyde Frog »

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16073
  • (◕˽ ◕ ✿)
    • View Profile
Re: SMF software update
« Reply #4 on: April 26, 2022, 10:31:37 PM »
Yup, I rewrote our password hashing a few years ago to use password_hash() and password_verify(). Right now this means that passwords are hashed using bcrypt, but that could of course change. The added benefit on our end is that if the PHP defaults change, all active users' passwords will get rehashed on their first successful login. In that way, our implementation is arguably superior to SMF 2.1's.
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume

*

Offline xasop

  • Administrator
  • *****
  • Posts: 9776
  • Professional computer somebody
    • View Profile
Re: SMF software update
« Reply #5 on: April 26, 2022, 10:32:24 PM »
In that way, our implementation is arguably superior to SMF 2.1's.
Along with our implementation of practically everything else we've changed.
when you try to mock anyone while also running the flat earth society. Lol

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16073
  • (◕˽ ◕ ✿)
    • View Profile
Re: SMF software update
« Reply #6 on: April 26, 2022, 10:42:34 PM »
Along with our implementation of practically everything else we've changed.
In this case, I think our solutions are roughly on par (e.g. you could make a purely academic argument that 2.1's session cookies are slightly nicer). It's the fact that they've only moved on from sha1 in 2022 that scares me.
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16073
  • (◕˽ ◕ ✿)
    • View Profile
Re: SMF software update
« Reply #7 on: December 21, 2022, 01:55:50 PM »
FWIW, we are now on 2.0.19 and things seem to be relatively not-on-fire. That only took a couple of years.

We were going to push 2.0.18 out first, but that introduced at least one regression which 2.0.19 then fixed, so eh, what the hell.

Please let us know if things do turn out to be on fire.
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume