21
MadFish
Re: Xoops 2.3/2.4 or 3.0 update? Are we stupid people?
  • 2007/3/26 10:24

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


If you have found a security issue, you should report it to the developers directly. That's the way things work. Please use the email address provided above.

22
Herko
Re: Xoops 2.3/2.4 or 3.0 update? Are we stupid people?
  • 2007/3/26 11:45

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Quote:

xguide wrote:
Quote:
So far, we haven't seen much that's worth a lot...

Me too. No developers, new core, no documentation. Sorry, if machine translation hurts you. I was not my intention to wound your ego or blame your efforts.

If you haven't seen anything in the XOOPS community that is worth a lot, you just haven't been looking. This isn't machine translation, because machine translation follows basic logic. Only broken machine translation keeps repeating the same points over and over again. And where my ego came into this is beyond all logic. Please reread this thread carefully.

Quote:
My young son start to use XOOPS with friends for a personal project at school and ask me to help.
Smart kid!
Quote:
I thought there was mature people managing this project. But your words let me understand it is not a place to old man like me.

Now *that* is childish. Now the maturity of the whole project management is assessed by you. And all by inventing new vague points, insinuations and false accusations. That's what I call immature, but this comment probably falls on deaf ears.

Quote:
But I am happy old man.
I am genuinely glad you are.
Quote:
No developer contact me for security question.
How would they know that they needed to contact you? I have several support questions, feature requests and general usage questions. Can I contact you about those as well? How can we contact you? You might just prove a very valuable resource to everyone. And free of charge too, if I read your previous posts correctly

Quote:
Do not worry. You can think it is stable if you compare to situation 2 years ago. But last time you say it was secure, Mr. Gijoe post with your account (find on the XOOPS forums).

Thank you for bringing this up, because this illustrates my point beautifully. The bug was demonstrated and fixed. All by the community. The bug wasn't reported before and was closed as soon as the developers knew what the bug was. And that is how it works, so if you know of any security vulnerabilities, please let the developers know.
And security vulnerabilities are a fact of life for any and all cms products, open and closed source. The bug and hole free script has yet to be written. So don't act like XOOPS is insecure. It's very stable and secure by any measure. We do not guarantee 100% security, nor does any other CMS out there. And XOOPS has a very good track record. So use facts and behave like a true member of the community. Or not, but then you lose the right to b*tch about it.

Quote:
Why you think developers of php and MySQL still release new versions? You understand technologies evolves and software evolution is a reason for XOOPS security problems.

Aha! So what you're saying here is that XOOPS is safe, but that the underlying software may not be, which in effect may cause XOOPS powered sites to be insecure. Well, nobody can know which holes will appear in the future based on not yet released updates from these developers. That's just another fact of life, nothing that singles out XOOPS as being insecure. In fact... quite the opposite.

Quote:
Xoops is good for people without skills or time to learn to build simple and small site. But it is important developers think of new code for future.

I agree with this statement, but probably for different reasons. XOOPS is simple to master, flexible to expand and easy to maintain. Does that mean XOOPS is perfect? No. Does it mean XOOPS is finished? No. Does it mean XOOPS is dead? No.
New ideas will need new code. New demands will require new code. New code requires new testing and new feedback. This requires new participation from the community.

In conclusion:
is XOOPS dead: NO!
Is XOOPS insecure: NO! (not more so then most other CMS's, better then some -all *known* security holes are patched)
Is XOOPS stable: YES!
Is XOOPS management ego driven and only out for money: NO!
Is XOOPS core development dead: NO! it's eh.. resting*

This concludes this essay. I have put all your worries to rest, based on arguments. Lack of proof does the rest. And I am not even part of the XOOPS management

Herko

23
xguide
Re: Xoops 2.3/2.4 or 3.0 update? Are we stupid people?
  • 2007/3/26 14:03

  • xguide

  • Just popping in

  • Posts: 43

  • Since: 2005/5/11


Your reply is representative of your ego and immaturity, it is normal, you are young. My son is high as me 1.90 m and he is 15. And he think he can act and decide by himself as a mature man. I try to explain to him to respect everybody, big and small people and respect mature persons because experience his very important. Do you think young people listen to old man? I take time to read your reply, many contradictions, it is normal without experience. You are not a developer, are you? XOOPS requires an environment to run it is one reason to develop and evolve. Second, Mr. Morris also said Quote:
It would take me 1 line of PHP code to bring a server to it's knees using XOOPS, or any other program that allows PHP execution for that matter.
He is part of XOOPS team, please ask him. Maybe he can teach you for free. Quote:
If professionals work on an open source project, shouldn't they get paid? What about businesses who provide value added services based on open source products? Are they wrong? No, they're not. There's no reason whatsoever that open source cannot be paid jobs.

But you want me to do it free. But there no core or developers documentation? You are not a developer and you are not an expert of open source licenses, are you?
Mr. Skalpa is alone and no one helps him. But we can read in your signature you are project manager and on other post you are alone with XOOPS Foundation (maybe it is illegal) but you can take important decisions about the project. You can ask with respect members to join you and help with management. Your position allow you to use financial resources to improve the project and help core development.
Maybe you do not feel secure about your competences to take such decisions. Discuss with other members about decisions and share responsibilities. Sorry about your ego, if you are small, you are as your mom and dad made you with love. It is the most important. Wish you find competences around you to help you grow and xoops. I have other family and tasks priorities. Mr. Morris can teach you, he give good support.

Good Luck.

24
vaughan
Re: Xoops 2.3/2.4 or 3.0 update?
  • 2007/3/26 15:00

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

It would take me 1 line of PHP code to bring a server to it's knees using XOOPS, or any other program that allows PHP execution for that matter.


you are reading that totally out of context. yes it would be easy if you know how.

but i could bring your home PC down to a standstill and you could lose everything just by using 1 piece of code, BUT i would need to find an exploit or an opportunity to be able to execute that code.

it's the same thing with what you just posted, for that to work, you would need to find the hole/exploit and be able to execute it. JMorris didn't say he could bring it down by using xoops, but he could do if the opportunity or hole was there in order to enable him to, ie he has to be able to execute the php script with that code inside. in a sense James was talking hypothetically.

so asking the same question to you again - do you know of a security vulnerability in the current version?

25
JMorris
Re: Xoops 2.3/2.4 or 3.0 update? Are we stupid people?
  • 2007/3/26 15:02

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


xguide,

If you are going to quote me, please quote me in context. I said

Quote:
It would take me 1 line of PHP code to bring a server to it's knees using XOOPS, or any other program that allows PHP execution for that matter.


And said in my very next post

Quote:
Note: XOOPS is secure, as secure as any application can be given its level of functionality. My comments above refer more to server configuration and not XOOPS.


What this means is that any server that allows PHP is susceptible to malicious use. This includes all PHP powered applications. Drupal, Joomla!, XOOPS, XOOPSCube, Typo3... Pick a PHP powered CMS and it will apply.

The issue is NOT the CMS. It is a abuse of PHP functionality.

The only way to stop this through the CMS is to sanitize any PHP function that can be used maliciously. To do so would severely handicap functionality.
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

26
Anonymous
Re: Xoops 2.3/2.4 or 3.0 update? Are we stupid people?
  • 2007/3/26 15:03

  • Anonymous

  • Posts: 0

  • Since:


@xguide

You posts in this thread and ripe with drivel and balderdash.

You have provided no evidence for anything that you have stated about XOOPS being insecure, either relatively compared to other cms or php-based systems or specifically. The one case that you mentioned from a couple of years ago was fixed in quick time, and in that case it took Gijoe (the author of the XOOPS protector module and therefore the XOOPS security expert to my mind) to find it.

Please tell us what you believe the problem(s) to be - specifics please, not unsubstantiated sweeping generalisations.

With regard to core development, I've only been a XOOPS user for six months and there has been a core upgrade even in that time. What more evidence do you need that core development continues?

Therefore, please either "put up or shut up".

27
JCDunnart
Troll alert!
  • 2007/3/26 16:00

  • JCDunnart

  • Not too shy to talk

  • Posts: 114

  • Since: 2006/7/1 5


xguide is trolling (definitions: wikipedia, flayme.com)

"The only way to deal with trolls is to limit your reaction to reminding others not to respond to trolls." reference

So please do not respond.

28
Anonymous
Re: Troll alert!
  • 2007/3/26 16:17

  • Anonymous

  • Posts: 0

  • Since:


Quote:
JCDunnart wrote:

xguide is trolling.....


I can thing of several other nouns for it, none of them suitable for a public forum

29
davidl2
Re: Xoops 2.3/2.4 or 3.0 update?
  • 2007/3/26 17:23

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


I would suggest that reading of the XOOPSiquette guidelines is in order before any further replies to this thread.

Trolling and Personal insults are not welcomed here.

You are welcome to have your opinions... however a degree of good manners would be appreciated if you wish to express them.

Thank you.

30
Herko
Re: Xoops 2.3/2.4 or 3.0 update? Are we stupid people?
  • 2007/3/26 17:52

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Thanks for giving me a hearty laugh, 'old man'. Your reply is not as mature as you claim it should be. And not just in my eyes either.

[text edited by me to avoid flamewars]

Maturity is about taking responsibility, about not walking away and taking the easy path. About facing up to your challenges, about accepting them with dignity. It is about being honest to your peers, but to yourself most of all. It is about making sacrifices from yourself, and trying to protect others from having to do the same. It is about making choices and facing the consequences.

So far, I've made decent, motivated replies to any and all of your false insinuations and accusations. We have seen no evidence whatsoever. You misquote people out of context, you insinuate people in positions you know nothing about. You disregard any argument that does not fit in your reasoning, and make up contradicting ones to match your points.

the sad thing is that the points you're trying to make go unheard because they are smothered in lies and insinuations. If you tried making your points based on arguments and proof and examples, you probably would have gotten a lot more respect from this community. I have tried to give you the opportunity to present your points, even given you some examples on how to do that. The ball was in your court, but you failed to score. And you only have yourself to blame for that.

I am not dismissing you, or claiming any victory over you. But learn from this experience, and behave like a mature old man with experience and good points that need to be heard.

Herko
Young at Heart, and proud of it

Quote:

xguide wrote:
Your reply is representative of your ego and immaturity, it is normal, you are young. My son is high as me 1.90 m and he is 15. And he think he can act and decide by himself as a mature man. I try to explain to him to respect everybody, big and small people and respect mature persons because experience his very important. Do you think young people listen to old man? I take time to read your reply, many contradictions, it is normal without experience. You are not a developer, are you? XOOPS requires an environment to run it is one reason to develop and evolve. Second, Mr. Morris also said Quote:
It would take me 1 line of PHP code to bring a server to it's knees using XOOPS, or any other program that allows PHP execution for that matter.
He is part of XOOPS team, please ask him. Maybe he can teach you for free. Quote:
If professionals work on an open source project, shouldn't they get paid? What about businesses who provide value added services based on open source products? Are they wrong? No, they're not. There's no reason whatsoever that open source cannot be paid jobs.

But you want me to do it free. But there no core or developers documentation? You are not a developer and you are not an expert of open source licenses, are you?
Mr. Skalpa is alone and no one helps him. But we can read in your signature you are project manager and on other post you are alone with XOOPS Foundation (maybe it is illegal) but you can take important decisions about the project. You can ask with respect members to join you and help with management. Your position allow you to use financial resources to improve the project and help core development.
Maybe you do not feel secure about your competences to take such decisions. Discuss with other members about decisions and share responsibilities. Sorry about your ego, if you are small, you are as your mom and dad made you with love. It is the most important. Wish you find competences around you to help you grow and xoops. I have other family and tasks priorities. Mr. Morris can teach you, he give good support.

Good Luck.

Login

Who's Online

169 user(s) are online (112 user(s) are browsing Support Forums)


Members: 0


Guests: 169


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits