Time to change forums to Flarum?
Time to change forums to Flarum?
Release 1.0 already available.
Flarum are forums 2.0. COOL and responsive thing.
https://flarum.org/
Flarum are forums 2.0. COOL and responsive thing.
https://flarum.org/
- philipbenr
- Member
- Posts: 1897
- Joined: Fri Jun 14, 2013 01:56
- GitHub: philipbenr
- IRC: philipbenr
- In-game: robinspi
- Location: United States
Re: Time to change forums to Flarum?
Flarum is open source, so its not like you couldn't see the Javascript that is built into the project on GitHub. And the admin staff here wouldn't put tracking on it anyway.
Regardless, the forum should move from phpBB to something better, as mod tasks are incredibly annoying to operate.
Regardless, the forum should move from phpBB to something better, as mod tasks are incredibly annoying to operate.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Time to change forums to Flarum?
The problem with Flarum is that is is entirely different from a forum. Instead of forums and sub-forums you have categories and tags.
The problem with phpBB on the other hand is that it is heavily outdated in code and concept and extensions feel hacky as hell. Not a good forum overall.
The problem with phpBB on the other hand is that it is heavily outdated in code and concept and extensions feel hacky as hell. Not a good forum overall.
Re: Time to change forums to Flarum?
It's not that I couldn't see the source of a proprietary JS too... no, the issue is, you have to enable JS, which opens the door to various attacks, like JS injection through malicious posts for example. Plus it also uses JS from third party sites, not just the ones you see in the github repo.philipbenr wrote: ↑Tue Jul 06, 2021 03:20Flarum is open source, so its not like you couldn't see the Javascript that is built into the project on GitHub.
They might not, but Flarum admittedly do track users, and admins can't turn that feature off (not without patching the source), and you, as end user can't opt out from the telemetry. The code is written in a way that it collects data on users without they knowing or without their consent, it is definitely not GDPR-compatible. Flarum is just another fancy spyware masquaraded as an OSS project, sorry to say that. I see more and more of these lately which is pretty sad.philipbenr wrote: ↑Tue Jul 06, 2021 03:20And the admin staff here wouldn't put tracking on it anyway.
And if all of that isn't enough, Flarum is missing very important and key features of a forum that you take for granted with phpBB, like the "Active topics" for example.
Cheers,
bzt
- v-rob
- Developer
- Posts: 971
- Joined: Thu Mar 24, 2016 03:19
- GitHub: v-rob
- IRC: v-rob
- Location: Right behind you.
Re: Time to change forums to Flarum?
What we'd need in a forum is something that is similar enough to phpBB to not necessitate reorganization and has phpBB migration code that comes with it. I don't see any way celeron55 will be writing the migration code himself in addition to changing the forum software. I mean, it was a pain for him to just upgrade phpBB on the server, let alone exchange it for a new one.
Of course, it'd be really nice to have Markdown instead of BBCode, regardless of forum software...
Of course, it'd be really nice to have Markdown instead of BBCode, regardless of forum software...
Re: Time to change forums to Flarum?
Javascript is on. I mean React + NodeJS. A resurrected, in other words.GayJesus wrote: ↑Tue Jul 06, 2021 00:37"This site is best viewed in a modern browser with JavaScript enabled. "
nah. I prefer it how it is. "search" could use some improvement.
For security and privacy i tend to avoid sites that require JS , google captcha. "agreement" pop ups and all similar data mining. tracking, dangerous bullshits.
Re: Time to change forums to Flarum?
Error! They talk about their site/server, not about Flarum per se.
Please, do not manipulate the data...
Re: Time to change forums to Flarum?
Yeah, and as I have said they do not talk about how their code is doing that and not only their website. Their website is tracking users because they are using Flarum, and the tracker code is in the Flarum code...
What I said was:
"The code is written in a way that it collects data on users without they knowing or without their consent, it is definitely not GDPR-compatible."
I don't, you do. Take a look at the source code, it requests the user's IP and stores it into the objects (like here and here, which then will end up in the database through ORM) with no option to turn this off. Neither by the admins in general, and neither can the users opt out. (As I've already pointed out, you must patch the Flarum source code to get rid of tracking. I've called Flarum a spyware with good reason.)
If you don't believe me and neither the source code, then just take a look at an sqldump of any Flarum instance, you'll see IP addresses all over the place, among others stored with ALL posts, and what's even worse, in CLEAR TEXT, no security at all. Anyone with a read-access to the database can get these sensitive information easy-peasy.
Cheers,
bzt
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Time to change forums to Flarum?
How is this different from any other common web application?bzt wrote: ↑Sun Jul 11, 2021 11:26If you don't believe me and neither the source code, then just take a look at an sqldump of any Flarum instance, you'll see IP addresses all over the place, among others stored with ALL posts, and what's even worse, in CLEAR TEXT, no security at all. Anyone with a read-access to the database can get these sensitive information easy-peasy.
Re: Time to change forums to Flarum?
You're talking about server side JS. We're talking about client side JS in browsers. Completely different thing, they are running on different computers. I'm using this forum with JS turned off in my browser, and it works pretty well. I couldn't do that with Flarum (BTW Flarum is written in php, it does not need React and NodeJS either).
For example, if you check the phpBB source, you can see that it does not collect data silently like Flarum; and it does not store sensitive information in the database at all.
For a moment there, let's put aside that collecting IP addresses without user's knowing or consent and offer no opt out is in clear violation of GDPR, and let's just focus on the technical part.
It is a totally different thing if the webserver logs the IP and if the application stores it in the db, because CGI scripts should not have access to the webserver logs (except some special admin page maybe, and even then an attacker must do sophisticated data correlations to assign IP to a nick), but in general all CGI scripts must have read-access to the db. It is a similar scenario why password hashes aren't stored in the /etc/passwd file (any app should have read-access to that), rather in a separated shadow file (with only special apps allowed to access). Even if Flarum is totally and completely bug-free (unlikely), one of its module might have a bug that allows SQL injection and then the attacker can read the sensitive data (without the need for accessing the logs or doing data correlation), it is basically handed over to the attacker on a silver plate. Since reading the db is a valid operation, you can't prevent that, neither in SELinux and nor with AppArmour. Setting up protection in MariaDB / MySQL won't work either, because Flarum and its modules are using the same credential. Furthermore since those credentials are stored in clear text, if an attacker gets access to the webserver's DocumentRoot (through some non-Flarum exploit), he can connect to the db without probs and again, access the sensitive data. With separate log files this isn't possible, that would require a privilege escalation exploit too (except when logs are stored on a separate logserver behind a firewall, then the attacker has no chance, not even with escalated privileges).
Oh, sorry, don't ask me about IT security because I'll just go on and on forever...
Cheers,
bzt
Re: Time to change forums to Flarum?
A forum is never 100% anonymous. How do you control that banned people do not re-enter? Flarum has Cookie Consent indeed.
You also say Flarum can be hacked and steal those IPs. They can also hack the Minetest PHBB forum; according to you no forum or web application should exist because of the danger of being hackable.
Of course everything is hackable, even government agencies. But you can't be afraid, you have to implement security measures and that's it.
I sincerely believe that you are too paranoid (it said with all the love in the world).
You also say Flarum can be hacked and steal those IPs. They can also hack the Minetest PHBB forum; according to you no forum or web application should exist because of the danger of being hackable.
Of course everything is hackable, even government agencies. But you can't be afraid, you have to implement security measures and that's it.
I sincerely believe that you are too paranoid (it said with all the love in the world).
bzt wrote: ↑Sun Jul 11, 2021 11:26Yeah, and as I have said they do not talk about how their code is doing that and not only their website. Their website is tracking users because they are using Flarum, and the tracker code is in the Flarum code...
What I said was:
"The code is written in a way that it collects data on users without they knowing or without their consent, it is definitely not GDPR-compatible."
I don't, you do. Take a look at the source code, it requests the user's IP and stores it into the objects (like here and here, which then will end up in the database through ORM) with no option to turn this off. Neither by the admins in general, and neither can the users opt out. (As I've already pointed out, you must patch the Flarum source code to get rid of tracking. I've called Flarum a spyware with good reason.)
If you don't believe me and neither the source code, then just take a look at an sqldump of any Flarum instance, you'll see IP addresses all over the place, among others stored with ALL posts, and what's even worse, in CLEAR TEXT, no security at all. Anyone with a read-access to the database can get these sensitive information easy-peasy.
Cheers,
bzt
-
- Member
- Posts: 1118
- Joined: Mon Dec 29, 2014 08:07
- Location: USA
Re: Time to change forums to Flarum?
I for one have never approved of Java. Allowing any website to execute code as an app, with admin privs, which all Java apps require since the runtime must be installed with admin privs, is practically handing the keys to the lock and the pin to the safe and leaving them wide open, and telling everyone that you are doing this. Insane.
Just because it is used by everyone does not mean that this is a sound product nor is it's use sound advise. It is, in fact, what is called being a lemming.
runs,
Do not confuse fear with experienced caution. Accusing someone of being afraid of something is offensive and antagonistic.
bzt outlines some very valid points. These are not to be dismissed because you've become a user / fan(atic) of the software.
Java might be popular as a language, but it is OWNED by Oracle. Not very FOSS friendly or open, and bordering on MS/Apple/Google/Facebook territory.
Shad
Just because it is used by everyone does not mean that this is a sound product nor is it's use sound advise. It is, in fact, what is called being a lemming.
runs,
Do not confuse fear with experienced caution. Accusing someone of being afraid of something is offensive and antagonistic.
bzt outlines some very valid points. These are not to be dismissed because you've become a user / fan(atic) of the software.
Java might be popular as a language, but it is OWNED by Oracle. Not very FOSS friendly or open, and bordering on MS/Apple/Google/Facebook territory.
Shad
Re: Time to change forums to Flarum?
Javascript is not Java.
But anyway, I only proposed another forum more coolz.
But anyway, I only proposed another forum more coolz.
- Wuzzy
- Member
- Posts: 4803
- Joined: Mon Sep 24, 2012 15:01
- GitHub: Wuzzy2
- IRC: Wuzzy
- In-game: Wuzzy
- Contact:
Re: Time to change forums to Flarum?
But I like phpBB, actually.
- philipbenr
- Member
- Posts: 1897
- Joined: Fri Jun 14, 2013 01:56
- GitHub: philipbenr
- IRC: philipbenr
- In-game: robinspi
- Location: United States
Re: Time to change forums to Flarum?
It is not the cookies that's problematic, and I've never said they were. It is collecting and storing sensitive data on users that's problematic (and illegal in the EU since GDPR). A session cookie doesn't count by no means sensitive, but IP address does.
Even if someone hacks Minetest phpBB, it does not store sensitive data, so there's nothing to steal. You do understand that, right?
Not "according to me", I've never said that.
Of course everything is hackable that's why it is so important not to store sensitive information in places like a public forum.
I sincerely believe that you're deliberately smokescreening the fact that Flarum does collect sensitive data without any option to turn that off or to opt out, while phpBB simply doesn't do that.
Open an issue on github, if more people are missing those features then I'm sure someone will provide a PR. That's the power of Open Source ;-)philipbenr wrote: ↑Mon Jul 12, 2021 00:36Okay, but the process to deal with spam / moving / deleting threads is not great / could definitely be improve
Cheers,
bzt
- philipbenr
- Member
- Posts: 1897
- Joined: Fri Jun 14, 2013 01:56
- GitHub: philipbenr
- IRC: philipbenr
- In-game: robinspi
- Location: United States
Re: Time to change forums to Flarum?
In theory, someone could open an issue on Flarum GitHub, followed by a PR to make it not collect that kind of information. I'm sure they'd want to have the ability to be in compliance with GDPR. Power of open source, baby. :-Pbzt wrote: ↑Mon Jul 12, 2021 11:45Open an issue on github, if more people are missing those features then I'm sure someone will provide a PR. That's the power of Open Source ;-)philipbenr wrote: ↑Mon Jul 12, 2021 00:36Okay, but the process to deal with spam / moving / deleting threads is not great / could definitely be improve
Regardless, I think its all moot anyway, since maintaining the forums / web right now is more towards the back of c55's todo list to my understanding. But I personally wouldn't mind an update to a newer UX.
- LMD
- Member
- Posts: 1397
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: Time to change forums to Flarum?
Why Flarum? There are plenty preferrable OSS forum solutions. What about Discourse (https://www.discourse.org/), for example? IIRC Discourse even has phpBB import options.
Re: Time to change forums to Flarum?
Discourse NOOOO!!! :-DLMD wrote: ↑Tue Jul 13, 2021 14:42Why Flarum? There are plenty preferrable OSS forum solutions. What about Discourse (https://www.discourse.org/), for example? IIRC Discourse even has phpBB import options.
It is FREE, not opensource. It is Strategic Opensource Specifically. I read that recently in the web. A guy put in the forum some obscure implementations (I mean not documented) and the admins deleted the thread.
The agenda of Discouse: Use me, and when you get trapped, you'll be mine.
I woud like a cool MInetets forum, plenty of colors and elements moving. I mean like Discourse or Discord.
Re: Time to change forums to Flarum?
Read the Discourse affair here:
https://wiki.opensourceecology.org/wiki ... f_Openness
Discourse is evil. Like the chinesse guy.
https://wiki.opensourceecology.org/wiki ... f_Openness
Discourse is evil. Like the chinesse guy.
- LMD
- Member
- Posts: 1397
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: Time to change forums to Flarum?
Pretty biased if you ask me.runs wrote: ↑Tue Jul 13, 2021 17:45Read the Discourse affair here:
https://wiki.opensourceecology.org/wiki ... f_Openness
Discourse is evil. Like the chinesse guy.
Re: Time to change forums to Flarum?
Except someone have already done that, several people were warning the Flarum devs that their code isn't GDPR compliant, and it looks like they don't give a sh*t about violating privacy or breaking the EU law. Their proposed "solution" was to obfuscate the last octet in the IP, which isphilipbenr wrote: ↑Mon Jul 12, 2021 18:37In theory, someone could open an issue on Flarum GitHub, followed by a PR to make it not collect that kind of information. I'm sure they'd want to have the ability to be in compliance with GDPR. Power of open source, baby. :-P
a) no good at all, and defies the whole purpose of their alleged reason of storing IP in the first place
b) they haven't even implemented that.
I agree. The worst possible alternative, and not Open Source at all.runs wrote:Discourse NOOOO!!!
Cheers,
bzt
Who is online
Users browsing this forum: No registered users and 25 guests