New Distributions

Client Joined: Feb 18, 2004 Posts: 22 Location: Israel

Hi,

In the last couple years after php-nuke security flaws, we have been presented with a variety of solutions and paralell distributions that claim to be the ultimate solution for the opensource CMS industry.

My questions is what are the best distros? if there is any what can we users do to make a better evaluation of what is the best solution for our security problems?. Is'nt there any way we can organize some sort of group or entity that can filter these supposed to be great distros?

I think that, the nuke community really should start to think in putting a lid on all this misleading development, since many of them seem to put production sites in jeopardy.

I hope that my voice can be heard and that u nukers out there should have your voice too.

Regards,

JLart

Site Admin Joined: Jun 04, 2004 Posts: 6433

If you're using the core of PHP-Nuke (i.e. you want to remain compatible with PHP-Nuke), your best bet is to keep current with the patches from [ Only registered users can see links on this board! Get registered or login! ] You can see a comparison of security tools for use with PHP-Nuke here.

The main problem is that, although Chatserv and the patch team provide seemingly endless patches, the core development often ignores those patches and / or introduces new security flaws (as was the case with PHP-Nuke 7.7 and 7. Cool

. Until the core development problems are fixed, distributions will continue to flourish - and continue to be needed.

What should you look for in a distribution? Obviously, it should be patched. It would be better if it also included a security tool like NukeSentinel. Beware of distributions that are not compatible (themes, modules, etc.) or that have significantly modified the core, unless you have a high degree of confidence that it will survive longer than 6 months. By survive, I mean be actively developed and supported.

You might ask, "Well, if PHP-Nuke has these issues, why not switch to a different core?" You could do that, of course, but there's no guarantee that you won't have the same problems (or worse) there. Caveat traductor - downloader beware.

I've been looking at various Nuke-compatible distros, and thought about formally comparing them as I did security tools. The problem - as you've alluded - is that they disappear almost as fast as they appear. So, for now, I can only recommend using an already-patched version like you can find here.

If you're interested in addressing the core problems, believe me - you're preaching to the choir, so to speak, by telling us. We all agree what the problems are - but with email-only support, it's difficult to address these problems with the core developer. Even if we all had one voice, we might as well sing in the woods - there is no guarantee that the developer would hear us.

Posted: Mon Oct 03, 2005 8:07 pm

Hi kguske,

I appreciate all that Chatserv, Raven, Bob Marion and countless colaborators do to still keep this project alive, if was'nt for you guys I think nuke would have been ditched a long time ago.

I'm in any way trying to preach to anyone what should or should'nt be done but the main problem lies with the users. If u have users that are more informed by that I mean informed, there would be less strain in so many developers / colaborators in turn the user himself would be more aware of what is going on before being allured in installing these pseudo "solve it all" distros.

I go even further even the propaganda through RSS syndication should be banned or filtered prior to be divulged to the public. This may seem drastic but is a temporary solution until the core gets it's proper handling.

You kindly mentioned the patched versions in nuke fix, I personally haven't had one that worked for me, specially when I click on the modules in the menu and this messages comes up " Sorry, such file doesn't exist... ". This irritates me and I don't even bother to go after the reasons why that happened.

I appreciate your thought in this matter, is anybody else have any comments on this????

JLart

Posted: Mon Oct 03, 2005 9:38 pm

I hate php-nuke, i'm just here to help raven, bob and chatserv.

What i do/have ? I run a "disappear almost as fast as they appear" distro but somehow it's still active.
This is not due to be php-nuke because we are ripping out the compatibility as hard as we can to avoid security issues. We just love an controlled enviornment.

The bad thing ? Well creating a module or add-on is not as easy as in nuke, and we are happy with that since it will force people to learn PHP first or they will get smashed in their face with warnings, notices and errors regarding their coding skills.

We also don't use the word 'PHP' in our name since the PHP License prefers not to do that (i wonder when they will ban the use of it, that will destroy many apps Laughing

).
'Nuke' isn't used either since we are no atomic bomb, we are a portal/cms that flies fast like a dragonfly.

Posted: Mon Oct 03, 2005 9:46 pm

Come on, djmaze... I wasn't including Dragonfly or CPGNuke in my comment. I don't consider Dragonfly a distribution of PHP-Nuke by any means... And it's certainly not here today, gone tomorrow.. Cool

Though PHP prefers that it not be used, there is no way they can prevent it. I like your nuke reference, though - guess I'll have to change the name of my fly-by-night distribution... Very Happy

Posted: Tue Oct 04, 2005 4:40 am

I do agree with kguske, and what is refered here, is the distros that have a spin off from the original nuke with so many addon and gimicks and in reality don't address the main issue which is S.E.C.U.R.I.T.Y.

The main point is that so many ppl that do build a cms they really do for a reason which is, to convey to a certain public their message but, the main put off is when that person picks up these "flash distros" ( don't want to mention any names here it might stir up some blood hehehe, not my intention) spend sometime developing it and end up with another defaced or not functioning at all.

I respect DJmaze and crews work, he should keep on going on he's endevour.

Like I said before all we need is organizing and control these distros. I'm willing to chip in my share of knowledge. I'm no programmer in the same level of you guys, a designer that works mainly with photoshop/Flash and some webdesign . But, in the last 3 years I put up a site under the Nuke flagship and only God knows what I been through to mantain this site online(very high profile attracts many hackers from Brasil and Middle east).

Anyone else???

JLart

Posted: Tue Oct 04, 2005 5:38 am

kguske wrote:

Come on, djmaze... I wasn't including Dragonfly or CPGNuke in my comment. I don't consider Dragonfly a distribution of PHP-Nuke by any means... And it's certainly not here today, gone tomorrow.. Cool

LMAO it seems you took is seriously.

What i ment was "you can't be nuke compliant and better secured" cpgnuke and dragonfly are not compliant and that's the whole issue. If some "smart-ass" is fixing nuke he thinks ahead and does other stuff as well.
That's why all others drop, they either don't have the time or they can't achieve their idea of an nuke.

You shouldn't seek a comparible other then PHP-Nuke+chatserv for security or PHP-Nuke+Steph for compliancy because anyone who makes a derivative and knows s**t about security and w3c should learn at [ Only registered users can see links on this board! Get registered or login! ] first.

As i said to some great people you will not defeat FB with an derivative if someone stood up as the manager and merge all people with their ideas.
But if someone with idea X doesn't get what he wants he just pops up another derivative. You need to be skilled in managing to keep the person with idea X on-board and explain why idea X is bad unless you do Y and Z as well. But that's something not happening and that caused many derivatives without thinking about the consequences.

So if you want to merge them into one project my main question is:

Are you capable of keeping me aboard if had idea X and you can prevent me from doing that and make a derivative ?

Posted: Tue Oct 04, 2005 6:16 am

Thanks - I knew you were kidding - and I wanted to make sure everyone else understood, too - one of the things necessary to keep people in the same boat about ideas x, y and z.

Posted: Wed Oct 05, 2005 12:59 am

I think the reason why so many derivitives come and go is because FB won't fix and stabilize the baseline code. Even those derivitive works authors need to keep up, and frankly, given the bugs and design flaws introduced with each new version, it is an impossible task.

FB even admits in his latest "interview" that he spends a couple of days working on each new release. I MEAN WOW!!! That pretty much says it all now doesn't it?

I think (with all due respect, which is considerable in my case) that the actions of Chatserv and other working on "Patched" in repatching every new release, merely propogate and exasperate the core model problems. I say this only because even the fixes from one version to the next are not standardized in patched.

I surely believe that if the community stopped trying to fix the latest versions until phpnuke.org would agree to at least catch up with fixes from 3 versions ago and standardize the model, the entire community would benefit.

Instead, largely due to other developers (and not FB) 7.9 is now "out there" and patched for 7.9 is "out there" and people actually think that this version is safe, stable and secure when in fact even with Patched it is anything but. In fact, any modules that use the HTML editor are just plain bad, totally unsecured code.

Given that there are new core security flaws introduced with 7.7 that still have not been fixed, I find it ludicris to be distributing "Patched" updates that fail to address any of those major core issues. As I have said before, it's like putting a bandaid on a shotgun wound. I would rather that the conscientious nuke development community concentrate on the last stable version where security and other enhancements can actually be realized versus wasting time on versions that will leave users exposed and at severe risk. Patching this code is simply a waste of everyone's time.

When I think about derivitives, I think one of two scenarios:
1) Those that attempt to tackle core design issues (such as CPG-Nuke and DragonflyCMS)
2) Those that attempt to append features of base nuke code with mods (Such as Platinum, etc...)

The problem with group 1 is that in most cases, there is an inherant incompatibility with PHP-Nuke modules, blocks and other add-on scripts.

The problem with group 2 is that in most cases, there is increased bloat and unwanted new features that are difficult, if not impossible to remove.

I would give anything if there was simply a consolodated effort to take a good baseline of Nuke (like 6.9 or 7.6) and to concentrate on making that code secure and compliant, but have an easy migration path for compatability with existing nuke blocks and modules.

I would also greatly appreciate a scenario where module authors were able to develop one version of a solution and update that one version versus being forced to maintain 3 different versions because Nuke can't stabilize. (For example 6.5 - 7.4 versus 7.5 - 7.6 versus 7.7 - 7.9 all of which have different core models.)

While I agree with most of what DJ says about feature inclusions and exclusions problems that lead to forks and solutions like Dragonfly, I don't believe it is realistic to expect everyone to be an expert on everything which is why some people go the paths that they go. I also think that as things get "too complicated" issues become more difficult to manage. I think taking it in stages (if for no other reason than compatibility with legacy solutions) allows other contributors to "learn in phases". Meaning, if you teach module developers how to simply fix standards issues of phase 1 and then stay at that level for a few versions before making the next "core" change, you are in fact teaching a larger audience at a pace that they can absorb. Trying to spring 50 core model changes on the community is just too much as is exemplified by how few modules have actually been converted to work with the other solutions.

I think some of the complexities inherant to solutions like Dragonfly are the reason why many issues that have existed even on that platform for over a year are still not fixed. If it were easier to work with, there might be more people actually developing and evolving code, though I think in the case of this example, the issues are just as much wrapped around politics as technical knowledge which is another problem that everyone is familiar with. (It's a d***ed if you do, d***ed if you don't scenario)

Surely it is a fine line to develop a stable, compliant and secure version of Nuke that has simple methods to enable legacy compatability, but I do not believe this goal is out of reach or unrealistic.

When I talk about wanting to fork, I'm thinking about a version like 7.6. Standardizing, securing and fixing it and all of its components. I'm not really talking about re-inventing the wheel which I don't think is a bad idea, just not one that I think a large community of users are ready for.

Just my two cents, take it for what it is worth.

Posted: Wed Oct 05, 2005 10:55 am

Basically 64bitguy, from what I could gather here, there is a lot of ego trip going around. Since FB is the core developer his ego is so big that he forgot that one day he depended and worked together with community colaborators.

I really don't have any strings attached with anyone in particular, most of the time I express what I feel and my feelings at this moment are, if there is a way of stabilizing at least one of the versions and work from there that would be fine. At least get something working not full of patches looking like swiss cheese, forget the new releases and derivatives etc...

I hope at least god will answer my prayers

JLart

Involved Joined: Oct 09, 2004 Posts: 293

From an end uesrs piont of view 64bitguy more or less somes it up well. I dont know the 'politics' between factions and coders etc. to take sides or say who is right or wrong.
From obsevation I believe the it is an inherant problem of community devaloped open source. If it comes out of a company, there is a guy at the top who says "this is what is going to happen, cant do it, u are fired" With community open source, very often the "in office differences" dont get solved. This eventually results in total lack of team work, different directions, loosing the plot and colaspe of the product.
A far as I am concerned (and I am concerned) Nuke is a great product...the plot is being lost (thu not seriously as yet but getting there)
It is time for the primary and secondary devalopers to wake up, bary the hatchet and start talking/cooperating/ and listen to those "stupid end users" as to what they want, and what they need.
One Classic example... me...over 12 months I have looked at successful/stupid/big/small sites, looked at their problems and issues, looked at members needs...and applied them very successfully.
I have hacked and bumbled thru others code, producing a couple concepts and block to this end...I need them finished...they ARE what is wanted for many reasons, practical/pretty/SEO/memner privacy etc. I have tried for 9 months to have a coder to finish. Upto 2 days ago I found out why know one wants to do it. One person was polite enough to get back to me andhonest enough to tell me.

Quote:

Dont be disapointed...and im not here to hurt your feelings but as you say...they always say yeah yeah but nothing happens...ill explain why..
Point is,what you have is something that is completely overdeveloped 1000 times...
Think thats why nobody is interested anymore...
Theres so much people can get these days ,you have to think of something very special before anyone even concidders helping out...
That sounds hard but its a fact...
Thanks for asking and thinking about me but you would save yourself a lot of time to just leave it as it is now...
A problem coders/writers also have or create is that they dont like the idea of digging into someone else stuff....
Dont try to understand the mind of a coder steptoe...i stopped doing that...

Why is Gates so successful, not because he can code, but because he understood the market, the end user needs, how to market the concepts and coordinated the team. Hence the competion mac, linix thu great, are left behind.
So its upto u the core coders...bitch /flame/get each others back up/involve personalities.....OR bury the hatchet, talk, listen, cooperate and work as a team.

What does Nuke need?
1/released after better beta testing and patched
2/GT ed , dynamic meta tags, blocks modules provide better member privacy and SOEd
3/Attach mod, approve membership, better search, better translation, better link exchange, where is, ip tracker, maybe gallery and weather
4/More/better notes as to what does what in files and readmes eg email customise default themes
5/removal of redundant blocks modules
6/lite, meduim and full versions
7/customisable Themes thru forums galleries etc
7/Simple stuff like br and html in news
8/Many blocks modules have got to complex and over coded...K.I.S.S