The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
Mod Approval
In the light of the recent events where a lot of forums were hacked using a couple of mods downloaded here, wouldn''t it be best if the custom mods submitted here were not released right away but first being checked and after making sure that they are safe they can be approved for the users to download and use them. Just an idea.
|
#2
|
||||
|
||||
I think thats a bad and impractical idea. The reasons are as follows.
1. There is not enough manpower to check all these mods. The vb.org mods are volunteers and will be unable to devote enough time and energy for checking these mods. This is only feasible if IB appoints paid members to check the mods. 2. The release of the mods will get delayed and lead to frustration among coders/designers. This will make them contribute less. I have seen this happen on numerous forums though not in the same capacity. 3. There is no guarantee that the auditors will be able to spot all the vulnerabilities in the mods. 4. When the mods are updated then those will have to be checked for vulnerabilities as well and this will slow down release of updates. |
#3
|
||||
|
||||
Quote:
I understand the cons of having to check the mods before hand, but I think it will be worth while to put the security first. So cases like the recent hackings won''t be repeated in the future or at least it will minimalizie that risk a lot. This is a standard practice in most well known forums, free and paid alike. Like that the customer here will know for sure that the mods that they will download from here will be safe. At least that is how I see it. |
#4
|
||||
|
||||
this has been discussed many times
vb.org isn't going to take responsibility for the mods, and they shouldn't IMO.. |
#5
|
||||
|
||||
Quote:
What borbole is proposing is possible in theory but in practice it will mean a lot more staff and competent reviewers putting in a lot of their time in this work. I dont see that happening. I would also like to add that a lot of people are overacting to the recent - advanced forum rules exploits. One of the most exploited mods for vB is vBSEO, which is a paid mod run by paid people. The number of people affected by those exploits is far greater but there was never such a hue and cry over that. I was amazed to see that some people are saying that they will never use mods from vb.org again. But the point is that it is not possible to guarantee the safety of any software. Even PHP was found with security flaws sometime back. Will these people sstop using PHP as well? |
#6
|
||||
|
||||
Hunt back far enough and you will find this has been discussed a number of times in the past.
vijayninel sums it up pretty well. Its just never going to happen. |
#7
|
||||
|
||||
Just frankly speaking, if vBulletin.org is going to call itself 'The Official vBulletin Modifications Site' it should do basic audits and take trivial responsibility for the modifications that it hosts and therefore distributes.
I know it sounds unreasonable. But you have to look at it from the eyes of an end user. This site labels itself as the OFFICIAL modifications site. The term 'official' carries a lot of weight. You see, even though they shouldn't, people make a solid connection between the two sites. When something goes awry with a modification, people make an instant connection with vBulletin as a product and that's when poop hits the fan. Rumors fly and the grape vine grows. All of a sudden the flaws in a 3rd-party plugin become the 'flaws' of the core product. To the best of my knowledge, forum softwares such as MyBB and Simple Machines do have basic security audits of plugins and modifications before they are allowed to be listed on the official websites. They are a free product, it's a community effort. My point is, if vBulletin.org isn't going to make an effort to ensure the items that they distribute are safe, they should drop the 'Official' bit in the slogan. It's more trouble than it's worth, it makes vBulletin as a product look bad. Things like the CMS, Blog, and Mobile Suite are 'Official' modifications. Not the stuff here. Just my .02 |
#8
|
||||
|
||||
Quote:
Mod authors have the responsibility to produce secure modifications, that's correct. But on the other hand, users also have the responsibility to keep their systems up-to-date and everyone who gets hacked after a few days the patch went live, it's simply their fault. If the admins who install those addons don't know any better, well how can THEY guarantee their USERS that their information like passwords, emails, potentially more, is in safe hands? So rather than punishing the staff of vbulletin.org AND the mod authors who produce mods in their free time mostly for zero cash, the user should carry the risk of his own doing or not-doing in case they miss crucial updates. Some notices who warn users about the potential risk of 3rd party applications may be good sport, but not necessary... Sorry, I just don't like the thought that vb admins and authors should carry the punishment which results because admins of huge forums don't know what they're doing. :/ /vote for admin-license! |
#9
|
||||
|
||||
From the TOS:
Quote:
|
#10
|
||||
|
||||
While the demands for auditing of mods here are well intentioned, they do not take into account the practical difficulties of implementing such a system in a volunteer run site. If such a auditing were to be tried here under the current circumstances then it will fail and end up hurting the users more than anyone else.
I can see such a system working here if the system is automated. It could work like this. 1. When a mod is submitted then a software checks it for basic vulnerabilities. Something like the W3C Markup Validation Service. 2. If a vulnerability is detected then the mod falls under moderation pending approval. This of course means that a software has to be developed that can spot such vulnerabilities and this technology is currently not well developed. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|