Time to change forums to Flarum?

[runs]

Release 1.0 already available.

Flarum are forums 2.0. COOL and responsive thing.

https://flarum.org/

[philipbenr]

Flarum is open source, so its not like you couldn't see the Javascript that is built into the project on GitHub. And the admin staff here wouldn't put tracking on it anyway.

Regardless, the forum should move from phpBB to something better, as mod tasks are incredibly annoying to operate.

[Linuxdirk]

The problem with Flarum is that is is entirely different from a forum. Instead of forums and sub-forums you have categories and tags.

The problem with phpBB on the other hand is that it is heavily outdated in code and concept and extensions feel hacky as hell. Not a good forum overall.

[bzt]

Flarum is open source, so its not like you couldn't see the Javascript that is built into the project on GitHub.

It's not that I couldn't see the source of a proprietary JS too... no, the issue is, you have to enable JS, which opens the door to various attacks, like JS injection through malicious posts for example. Plus it also uses JS from third party sites, not just the ones you see in the github repo.

And the admin staff here wouldn't put tracking on it anyway.

They might not, but Flarum admittedly do track users, and admins can't turn that feature off (not without patching the source), and you, as end user can't opt out from the telemetry. The code is written in a way that it collects data on users without they knowing or without their consent, it is definitely not GDPR-compatible. Flarum is just another fancy spyware masquaraded as an OSS project, sorry to say that. I see more and more of these lately which is pretty sad.

And if all of that isn't enough, Flarum is missing very important and key features of a forum that you take for granted with phpBB, like the "Active topics" for example.

Cheers,
bzt

[v-rob]

What we'd need in a forum is something that is similar enough to phpBB to not necessitate reorganization and has phpBB migration code that comes with it. I don't see any way celeron55 will be writing the migration code himself in addition to changing the forum software. I mean, it was a pain for him to just upgrade phpBB on the server, let alone exchange it for a new one.

Of course, it'd be really nice to have Markdown instead of BBCode, regardless of forum software...

[runs]

"This site is best viewed in a modern browser with JavaScript enabled. "

nah. I prefer it how it is. "search" could use some improvement.
For security and privacy i tend to avoid sites that require JS , google captcha. "agreement" pop ups and all similar data mining. tracking, dangerous bullshits.

Javascript is on. I mean React + NodeJS. A resurrected, in other words.

[runs]

Flarum admittedly do track users,

Error! They talk about their site/server, not about Flarum per se.

Please, do not manipulate the data...

[bzt]

Flarum admittedly do track users,

Error! They talk about their site/server, not about Flarum per se.

Yeah, and as I have said they do not talk about how their code is doing that and not only their website. Their website is tracking users because they are using Flarum, and the tracker code is in the Flarum code...

What I said was:
"The code is written in a way that it collects data on users without they knowing or without their consent, it is definitely not GDPR-compatible."

Please, do not manipulate the data...

I don't, you do. Take a look at the source code, it requests the user's IP and stores it into the objects (like here and here, which then will end up in the database through ORM) with no option to turn this off. Neither by the admins in general, and neither can the users opt out. (As I've already pointed out, you must patch the Flarum source code to get rid of tracking. I've called Flarum a spyware with good reason.)

If you don't believe me and neither the source code, then just take a look at an sqldump of any Flarum instance, you'll see IP addresses all over the place, among others stored with ALL posts, and what's even worse, in CLEAR TEXT, no security at all. Anyone with a read-access to the database can get these sensitive information easy-peasy.

Cheers,
bzt

[Linuxdirk]

If you don't believe me and neither the source code, then just take a look at an sqldump of any Flarum instance, you'll see IP addresses all over the place, among others stored with ALL posts, and what's even worse, in CLEAR TEXT, no security at all. Anyone with a read-access to the database can get these sensitive information easy-peasy.

How is this different from any other common web application?

[bzt]

Javascript is on. I mean React + NodeJS. A resurrected, in other words.

You're talking about server side JS. We're talking about client side JS in browsers. Completely different thing, they are running on different computers. I'm using this forum with JS turned off in my browser, and it works pretty well. I couldn't do that with Flarum (BTW Flarum is written in php, it does not need React and NodeJS either).

How is this different from any other common web application?

For example, if you check the phpBB source, you can see that it does not collect data silently like Flarum; and it does not store sensitive information in the database at all.

For a moment there, let's put aside that collecting IP addresses without user's knowing or consent and offer no opt out is in clear violation of GDPR, and let's just focus on the technical part.

It is a totally different thing if the webserver logs the IP and if the application stores it in the db, because CGI scripts should not have access to the webserver logs (except some special admin page maybe, and even then an attacker must do sophisticated data correlations to assign IP to a nick), but in general all CGI scripts must have read-access to the db. It is a similar scenario why password hashes aren't stored in the /etc/passwd file (any app should have read-access to that), rather in a separated shadow file (with only special apps allowed to access). Even if Flarum is totally and completely bug-free (unlikely), one of its module might have a bug that allows SQL injection and then the attacker can read the sensitive data (without the need for accessing the logs or doing data correlation), it is basically handed over to the attacker on a silver plate. Since reading the db is a valid operation, you can't prevent that, neither in SELinux and nor with AppArmour. Setting up protection in MariaDB / MySQL won't work either, because Flarum and its modules are using the same credential. Furthermore since those credentials are stored in clear text, if an attacker gets access to the webserver's DocumentRoot (through some non-Flarum exploit), he can connect to the db without probs and again, access the sensitive data. With separate log files this isn't possible, that would require a privilege escalation exploit too (except when logs are stored on a separate logserver behind a firewall, then the attacker has no chance, not even with escalated privileges).

Oh, sorry, don't ask me about IT security because I'll just go on and on forever...

Cheers,
bzt

[runs]

A forum is never 100% anonymous. How do you control that banned people do not re-enter? Flarum has Cookie Consent indeed.

You also say Flarum can be hacked and steal those IPs. They can also hack the Minetest PHBB forum; according to you no forum or web application should exist because of the danger of being hackable.

Of course everything is hackable, even government agencies. But you can't be afraid, you have to implement security measures and that's it.

I sincerely believe that you are too paranoid (it said with all the love in the world).

Flarum admittedly do track users,

Error! They talk about their site/server, not about Flarum per se.

Yeah, and as I have said they do not talk about how their code is doing that and not only their website. Their website is tracking users because they are using Flarum, and the tracker code is in the Flarum code...

What I said was:
"The code is written in a way that it collects data on users without they knowing or without their consent, it is definitely not GDPR-compatible."

Please, do not manipulate the data...

I don't, you do. Take a look at the source code, it requests the user's IP and stores it into the objects (like here and here, which then will end up in the database through ORM) with no option to turn this off. Neither by the admins in general, and neither can the users opt out. (As I've already pointed out, you must patch the Flarum source code to get rid of tracking. I've called Flarum a spyware with good reason.)

If you don't believe me and neither the source code, then just take a look at an sqldump of any Flarum instance, you'll see IP addresses all over the place, among others stored with ALL posts, and what's even worse, in CLEAR TEXT, no security at all. Anyone with a read-access to the database can get these sensitive information easy-peasy.

Cheers,
bzt

[ShadMOrdre]

I for one have never approved of Java. Allowing any website to execute code as an app, with admin privs, which all Java apps require since the runtime must be installed with admin privs, is practically handing the keys to the lock and the pin to the safe and leaving them wide open, and telling everyone that you are doing this. Insane.

Just because it is used by everyone does not mean that this is a sound product nor is it's use sound advise. It is, in fact, what is called being a lemming.

runs,

Do not confuse fear with experienced caution. Accusing someone of being afraid of something is offensive and antagonistic.

bzt outlines some very valid points. These are not to be dismissed because you've become a user / fan(atic) of the software.

Java might be popular as a language, but it is OWNED by Oracle. Not very FOSS friendly or open, and bordering on MS/Apple/Google/Facebook territory.



Shad

[runs]

Javascript is not Java.

But anyway, I only proposed another forum more coolz.

[Wuzzy]

But I like phpBB, actually.

[philipbenr]

But I like phpBB, actually.

Okay, but the process to deal with spam / moving / deleting threads is not great / could definitely be improve

[bzt]

A forum is never 100% anonymous. How do you control that banned people do not re-enter? Flarum has Cookie Consent indeed.

It is not the cookies that's problematic, and I've never said they were. It is collecting and storing sensitive data on users that's problematic (and illegal in the EU since GDPR). A session cookie doesn't count by no means sensitive, but IP address does.

You also say Flarum can be hacked and steal those IPs. They can also hack the Minetest PHBB forum

Even if someone hacks Minetest phpBB, it does not store sensitive data, so there's nothing to steal. You do understand that, right?

according to you no forum or web application should exist because of the danger of being hackable.

Not "according to me", I've never said that.

Of course everything is hackable

Of course everything is hackable that's why it is so important not to store sensitive information in places like a public forum.

I sincerely believe that you are too paranoid (it said with all the love in the world).

I sincerely believe that you're deliberately smokescreening the fact that Flarum does collect sensitive data without any option to turn that off or to opt out, while phpBB simply doesn't do that.

Okay, but the process to deal with spam / moving / deleting threads is not great / could definitely be improve

Open an issue on github, if more people are missing those features then I'm sure someone will provide a PR. That's the power of Open Source ;-)

Cheers,
bzt

[philipbenr]

Okay, but the process to deal with spam / moving / deleting threads is not great / could definitely be improve

Open an issue on github, if more people are missing those features then I'm sure someone will provide a PR. That's the power of Open Source ;-)

In theory, someone could open an issue on Flarum GitHub, followed by a PR to make it not collect that kind of information. I'm sure they'd want to have the ability to be in compliance with GDPR. Power of open source, baby. :-P

Regardless, I think its all moot anyway, since maintaining the forums / web right now is more towards the back of c55's todo list to my understanding. But I personally wouldn't mind an update to a newer UX.

[LMD]

Why Flarum? There are plenty preferrable OSS forum solutions. What about Discourse (https://www.discourse.org/), for example? IIRC Discourse even has phpBB import options.

[runs]

Why Flarum? There are plenty preferrable OSS forum solutions. What about Discourse (https://www.discourse.org/), for example? IIRC Discourse even has phpBB import options.

Discourse NOOOO!!! :-D

It is FREE, not opensource. It is Strategic Opensource Specifically. I read that recently in the web. A guy put in the forum some obscure implementations (I mean not documented) and the admins deleted the thread.

The agenda of Discouse: Use me, and when you get trapped, you'll be mine.

I woud like a cool MInetets forum, plenty of colors and elements moving. I mean like Discourse or Discord.

[runs]

Read the Discourse affair here:

https://wiki.opensourceecology.org/wiki ... f_Openness

Discourse is evil. Like the chinesse guy.

[LMD]

Read the Discourse affair here:

https://wiki.opensourceecology.org/wiki ... f_Openness

Discourse is evil. Like the chinesse guy.

Pretty biased if you ask me.

[bzt]

In theory, someone could open an issue on Flarum GitHub, followed by a PR to make it not collect that kind of information. I'm sure they'd want to have the ability to be in compliance with GDPR. Power of open source, baby. :-P

Except someone have already done that, several people were warning the Flarum devs that their code isn't GDPR compliant, and it looks like they don't give a sh*t about violating privacy or breaking the EU law. Their proposed "solution" was to obfuscate the last octet in the IP, which is
a) no good at all, and defies the whole purpose of their alleged reason of storing IP in the first place
b) they haven't even implemented that.

Discourse NOOOO!!!

I agree. The worst possible alternative, and not Open Source at all.

Cheers,
bzt