Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 05-12-2011, 01:37 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Mod Approval

In the light of the recent events where a lot of forums were hacked using a couple of mods downloaded here, wouldn''t it be best if the custom mods submitted here were not released right away but first being checked and after making sure that they are safe they can be approved for the users to download and use them. Just an idea.
Reply With Quote
  #2  
Old 05-12-2011, 02:16 PM
vijayninel's Avatar
vijayninel vijayninel is offline
 
Join Date: Mar 2009
Posts: 537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think thats a bad and impractical idea. The reasons are as follows.

1. There is not enough manpower to check all these mods. The vb.org mods are volunteers and will be unable to devote enough time and energy for checking these mods. This is only feasible if IB appoints paid members to check the mods.

2. The release of the mods will get delayed and lead to frustration among coders/designers. This will make them contribute less. I have seen this happen on numerous forums though not in the same capacity.

3. There is no guarantee that the auditors will be able to spot all the vulnerabilities in the mods.

4. When the mods are updated then those will have to be checked for vulnerabilities as well and this will slow down release of updates.
Reply With Quote
  #3  
Old 05-12-2011, 02:24 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by vijayninel View Post
I think thats a bad and impractical idea. The reasons are as follows.

1. There is not enough manpower to check all these mods. The vb.org mods are volunteers and will be unable to devote enough time and energy for checking these mods. This is only feasible if IB appoints paid members to check the mods.

2. The release of the mods will get delayed and lead to frustration among coders/designers. This will make them contribute less. I have seen this happen on numerous forums though not in the same capacity.

3. There is no guarantee that the auditors will be able to spot all the vulnerabilities in the mods.

4. When the mods are updated then those will have to be checked for vulnerabilities as well and this will slow down release of updates.

I understand the cons of having to check the mods before hand, but I think it will be worth while to put the security first. So cases like the recent hackings won''t be repeated in the future or at least it will minimalizie that risk a lot.

This is a standard practice in most well known forums, free and paid alike. Like that the customer here will know for sure that the mods that they will download from here will be safe. At least that is how I see it.
Reply With Quote
  #4  
Old 05-12-2011, 03:20 PM
Brandon Sheley's Avatar
Brandon Sheley Brandon Sheley is offline
 
Join Date: Mar 2005
Location: Google Kansas
Posts: 4,678
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

this has been discussed many times
vb.org isn't going to take responsibility for the mods, and they shouldn't IMO..
Reply With Quote
  #5  
Old 05-12-2011, 03:32 PM
vijayninel's Avatar
vijayninel vijayninel is offline
 
Join Date: Mar 2009
Posts: 537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Brandon Sheley View Post
this has been discussed many times
vb.org isn't going to take responsibility for the mods, and they shouldn't IMO..
If a mod is checked before release, then it does not mean that they are taking responsibility. You can still put the onus on the users.

What borbole is proposing is possible in theory but in practice it will mean a lot more staff and competent reviewers putting in a lot of their time in this work. I dont see that happening.

I would also like to add that a lot of people are overacting to the recent - advanced forum rules exploits. One of the most exploited mods for vB is vBSEO, which is a paid mod run by paid people. The number of people affected by those exploits is far greater but there was never such a hue and cry over that.

I was amazed to see that some people are saying that they will never use mods from vb.org again. But the point is that it is not possible to guarantee the safety of any software. Even PHP was found with security flaws sometime back. Will these people sstop using PHP as well?
Reply With Quote
  #6  
Old 05-12-2011, 03:34 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hunt back far enough and you will find this has been discussed a number of times in the past.

vijayninel sums it up pretty well. Its just never going to happen.
Reply With Quote
  #7  
Old 05-12-2011, 04:04 PM
private_ale's Avatar
private_ale private_ale is offline
 
Join Date: Dec 2007
Location: New Jersey
Posts: 112
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just frankly speaking, if vBulletin.org is going to call itself 'The Official vBulletin Modifications Site' it should do basic audits and take trivial responsibility for the modifications that it hosts and therefore distributes.

I know it sounds unreasonable. But you have to look at it from the eyes of an end user. This site labels itself as the OFFICIAL modifications site. The term 'official' carries a lot of weight.

You see, even though they shouldn't, people make a solid connection between the two sites. When something goes awry with a modification, people make an instant connection with vBulletin as a product and that's when poop hits the fan. Rumors fly and the grape vine grows. All of a sudden the flaws in a 3rd-party plugin become the 'flaws' of the core product.

To the best of my knowledge, forum softwares such as MyBB and Simple Machines do have basic security audits of plugins and modifications before they are allowed to be listed on the official websites. They are a free product, it's a community effort.

My point is, if vBulletin.org isn't going to make an effort to ensure the items that they distribute are safe, they should drop the 'Official' bit in the slogan. It's more trouble than it's worth, it makes vBulletin as a product look bad. Things like the CMS, Blog, and Mobile Suite are 'Official' modifications. Not the stuff here.

Just my .02
Reply With Quote
  #8  
Old 05-12-2011, 04:26 PM
Disasterpiece's Avatar
Disasterpiece Disasterpiece is offline
 
Join Date: Apr 2007
Location: GER
Posts: 765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
My point is, if vBulletin.org isn't going to make an effort to ensure the items that they distribute are safe, they should drop the 'Official' bit in the slogan. It's more trouble than it's worth, it makes vBulletin as a product look bad. Things like the CMS, Blog, and Mobile Suite are 'Official' modifications. Not the stuff here.
The site may be "officially" approved, but the mods aren't. I don't think it's necessary to nitpick on the right word constellation.

Mod authors have the responsibility to produce secure modifications, that's correct.
But on the other hand, users also have the responsibility to keep their systems up-to-date and everyone who gets hacked after a few days the patch went live, it's simply their fault.
If the admins who install those addons don't know any better, well how can THEY guarantee their USERS that their information like passwords, emails, potentially more, is in safe hands?

So rather than punishing the staff of vbulletin.org AND the mod authors who produce mods in their free time mostly for zero cash, the user should carry the risk of his own doing or not-doing in case they miss crucial updates.

Some notices who warn users about the potential risk of 3rd party applications may be good sport, but not necessary...

Sorry, I just don't like the thought that vb admins and authors should carry the punishment which results because admins of huge forums don't know what they're doing. :/

/vote for admin-license!
Reply With Quote
  #9  
Old 05-12-2011, 04:34 PM
HMBeaty's Avatar
HMBeaty HMBeaty is offline
 
Join Date: Sep 2005
Posts: 4,141
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

From the TOS:
Quote:
6. VBULLETIN.ORG MAKES NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, PRODUCTS, AND SERVICES CONTAINED ON THIS WEB SITE FOR ANY PURPOSE. ALL SUCH INFORMATION, PRODUCTS, AND SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
7. VBULLETIN.ORG HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION, PRODUCTS, AND SERVICES CONTAINED ON THIS WEB SITE, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
8. IN NO EVENT SHALL VBULLETIN.ORG BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED
  1. WITH THE USE OR PERFORMANCE OF THIS WEB SITE,
  2. WITH THE DELAY OR INABILITY TO USE THIS WEB SITE,
  3. WITH THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR
  4. FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THIS WEB SITE, OR OTHERWISE ARISING OUT OF THE USE OF THIS WEB SITE, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF VBULLETIN.ORG HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
Reply With Quote
  #10  
Old 05-12-2011, 04:36 PM
vijayninel's Avatar
vijayninel vijayninel is offline
 
Join Date: Mar 2009
Posts: 537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

While the demands for auditing of mods here are well intentioned, they do not take into account the practical difficulties of implementing such a system in a volunteer run site. If such a auditing were to be tried here under the current circumstances then it will fail and end up hurting the users more than anyone else.

I can see such a system working here if the system is automated. It could work like this.

1. When a mod is submitted then a software checks it for basic vulnerabilities. Something like the W3C Markup Validation Service.

2. If a vulnerability is detected then the mod falls under moderation pending approval.

This of course means that a software has to be developed that can spot such vulnerabilities and this technology is currently not well developed.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:45 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05197 seconds
  • Memory Usage 2,269KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete