Suit up!
June 03, 2014, 11:00:17 AM Posted by Dragooon on June 03, 2014, 11:00:17 AM in Suit up! | 42 CommentsHello! Time for another update regarding our progress with 2.1.
Change in password hash
Passwords stored in the database are hashed. In the unlikely event that your database gets stolen and the passwords are leaked, the thief cannot see the actual password without cracking the hash. The hash protects the user's password being in plain sight to the attacker and helps protect their online identity on that site, as well as, potentially, other sites.
SMF has been using SHA-1 hash for its passwords from 1.1 to 2.0 and while SHA-1 still has no known weakness, it's a weak hash by today's standard and is susceptible to being cracked via brute force attacks. While this is still a hard task and would probably require GPU farms to be effective on a large scale, it's definitely a threat especially to passwords which are weak, commonly used and/or based on common dictionary words.
With 2.1 the entire hash has been switched to bcrypt. It's a far more secure and strong hash than SHA-1 and is a lot less susceptible to brute force attacks unlike SHA-1. Any forum upgrading from 2.0/1.1 will have their users' passwords upgraded to this hash once they login for the first time on the 2.1 forum and new users will automatically get the bcrypt password.
Likes and Mentions
SMF now has support for grabbing a user's attention simply by mentioning their name using the @username syntax, similar to popular social networking sites such as Facebook and Twitter. This action will send an alert and/or an e-mail depending upon the receiving user's preferences.
Likes also receive some additional features and improvements, with the ability to like a post via AJAX without having to refresh the page as well as permissions for membergroups to allow liking posts or not.
Minimum PHP version bump
With the additional improvements in password hashing as well as other improvements and advancements requiring the use of features such as closures, we've decided to bump the minimum version of PHP to 5.3.8 with 2.1. SMF 2.1 will not work with versions below that.
Conversion of create_function's lambda style functions to true anonymous closures
SMF has a lot of create_function calls (over 200 in fact) and create_function is a particularly memory hungry function which cannot be optimised by bytecode caches and properly garbage collected. With the recent bump in PHP 5.3, we've decided to take this opportunity and convert all of them to true closures which will have much better support as well as proper support for garbage collection the moment it's out of scope.
BoardIndex optimisation
The BoardIndex receives some love with improvements in the way it's queried, breaking the previously monstrous query into three smaller queries. Also, boards are now explicitly sorted by using a sort cache for all the DB types instead of using a rather inefficient ORDER BY clause for Postgres, SQLite. This also fixes random board ordering in MySQL 5.6+ without impacting the performance.
Karma's gone!
As decided in a poll before, we've completely removed karma which will in turn be made into a separate optional modification for SMF 2.1.
But wait! We've even more!
That's it for now
, thank you for reading. With every commit, we're nearing a Beta release with the hopes to get one out as soon as possible. As always, all the latest changes, everything I've listed here and more can be seen on our GitHub repository but please be careful, as it's in Alpha stages for now. Feel free to give it a spin but do not use it in a live/production environment, there may be bugs or we may unexpectedly change something which might put your forum into an unusable state.
Regards
Change in password hash
Passwords stored in the database are hashed. In the unlikely event that your database gets stolen and the passwords are leaked, the thief cannot see the actual password without cracking the hash. The hash protects the user's password being in plain sight to the attacker and helps protect their online identity on that site, as well as, potentially, other sites.
SMF has been using SHA-1 hash for its passwords from 1.1 to 2.0 and while SHA-1 still has no known weakness, it's a weak hash by today's standard and is susceptible to being cracked via brute force attacks. While this is still a hard task and would probably require GPU farms to be effective on a large scale, it's definitely a threat especially to passwords which are weak, commonly used and/or based on common dictionary words.
With 2.1 the entire hash has been switched to bcrypt. It's a far more secure and strong hash than SHA-1 and is a lot less susceptible to brute force attacks unlike SHA-1. Any forum upgrading from 2.0/1.1 will have their users' passwords upgraded to this hash once they login for the first time on the 2.1 forum and new users will automatically get the bcrypt password.
Likes and Mentions
SMF now has support for grabbing a user's attention simply by mentioning their name using the @username syntax, similar to popular social networking sites such as Facebook and Twitter. This action will send an alert and/or an e-mail depending upon the receiving user's preferences.
Likes also receive some additional features and improvements, with the ability to like a post via AJAX without having to refresh the page as well as permissions for membergroups to allow liking posts or not.
Minimum PHP version bump
With the additional improvements in password hashing as well as other improvements and advancements requiring the use of features such as closures, we've decided to bump the minimum version of PHP to 5.3.8 with 2.1. SMF 2.1 will not work with versions below that.
Conversion of create_function's lambda style functions to true anonymous closures
SMF has a lot of create_function calls (over 200 in fact) and create_function is a particularly memory hungry function which cannot be optimised by bytecode caches and properly garbage collected. With the recent bump in PHP 5.3, we've decided to take this opportunity and convert all of them to true closures which will have much better support as well as proper support for garbage collection the moment it's out of scope.
BoardIndex optimisation
The BoardIndex receives some love with improvements in the way it's queried, breaking the previously monstrous query into three smaller queries. Also, boards are now explicitly sorted by using a sort cache for all the DB types instead of using a rather inefficient ORDER BY clause for Postgres, SQLite. This also fixes random board ordering in MySQL 5.6+ without impacting the performance.
Karma's gone!
As decided in a poll before, we've completely removed karma which will in turn be made into a separate optional modification for SMF 2.1.
But wait! We've even more!
- Multiple improvements to the WIP Curve2 theme and its responsive aspect.
- Linktree automatically hides parent boards if they cannot be seen by the visiting member.
- jQuery has been updated to 1.11.
- Multiple bugfixes regarding undefined indexes, unexpected behaviours etc.
- And several other things I'm probably forgetting here...
That's it for now
, thank you for reading. With every commit, we're nearing a Beta release with the hopes to get one out as soon as possible. As always, all the latest changes, everything I've listed here and more can be seen on our GitHub repository but please be careful, as it's in Alpha stages for now. Feel free to give it a spin but do not use it in a live/production environment, there may be bugs or we may unexpectedly change something which might put your forum into an unusable state.Regards
Comments
Upgrader and installer also now have RTL 
Thanks for the update dragooooooooooooooooooooooooooooooooooooon!
Quote from: Labradoodle-360 on June 03, 2014, 11:17:36 AMWell I was bound to miss a few
Upgrader and installer also now have RTL
, one can always check Github's commit logs to know exactly what went down.great news, thanks for the updates!
Fantastic News~! Many "Thanks" to ALL involved. This is really exciting.
Those with the know-how
to do this, please keep up this awesome work.Thanks for posting this Dragooon.
Good job
Thanks for the update! I really enjoy the mentions system and use it on my boards.
Nice work. Question: is it possible for a user to completely switch off the likes and mentions notifications?* I know some people like them, but others just find them a nuisance.
*Meaning so they never show up on the forum interface at all.
*Meaning so they never show up on the forum interface at all.
I believe likes can be turned off, not so sure about mentions. Given that they tie into the alerts system and a bunch of other stuff also ties into the alerts system...
K. Well my 2c is that it'd be cool to have a user option to mindlessly clear all mentions with one click. I find it a PITA when I have to manually go through and deal with each one.
You should be able to turn off getting alerts for mentions if you don't care
Oh goody. Elk didn't have that last I checked.
That's because Elk's system is totally different from SMF's.
Well since they're determined to be better, I expect they'll have to put it on their to-do list now.
Yeah, I chose to stop development before I finished building it. Long story. Dragooon is doing awesome work now though.
Quote from: Arantor on June 03, 2014, 06:18:27 PMWouldn't that kind of defeat the entire point?
You should be able to turn off getting alerts for mentions if you don't care
Nice work, thanks for the update.
Yeah, I want it to defeat the whole point.
Thanks for the update!
Nice update! thanks for all
Quote from: Antechinus on June 03, 2014, 06:08:53 PMThe alerts for both Likes and Mentions can be disabled, but the user will still see the mentions/likes on individual posts.
Nice work. Question: is it possible for a user to completely switch off the likes and mentions notifications?* I know some people like them, but others just find them a nuisance.
*Meaning so they never show up on the forum interface at all.
Cool. That'll work.
Very interesting, thanks for letting us know!
I have a question about the karma since I didn't followed it up.
Since it becomes a mod, will there be a replacement system and will the karma mod be maintained by SMF itself?
I have a question about the karma since I didn't followed it up.
Since it becomes a mod, will there be a replacement system and will the karma mod be maintained by SMF itself?
QuoteSince it becomes a mod, will there be a replacement system and will the karma mod be maintained by SMF itself?Likes is intended to be the replacement system, and the mod will be released by SMF which will be exactly as the old system but I don't know about the plans of maintaining it (probably nothing beyond the occasional bug fix if any)
Quote from: Dragooon on June 04, 2014, 07:02:35 AMGood choice
Likes is intended to be the replacement system, and the mod will be released by SMF which will be exactly as the old system but I don't know about the plans of maintaining it (probably nothing beyond the occasional bug fix if any)
Thanks for the update. Great work everyone .
.Great work all.
Quote from: Dragooon on June 04, 2014, 07:02:35 AMQuoteSince it becomes a mod, will there be a replacement system and will the karma mod be maintained by SMF itself?Likes is intended to be the replacement system, and the mod will be released by SMF which will be exactly as the old system but I don't know about the plans of maintaining it (probably nothing beyond the occasional bug fix if any)
Ah, that's cool
.Another annoying question: any idea's known about converting karma to likes, in that case? (for example positive karma becomes the current amount of positive likes and negative karma becomes the current amount of dislikes)
Cheers
.Isn't possible because karma is only recorded per user, not per post. (It is recorded per post for *short* periods of time, like the last hour by default)
Cool, okay thanks.
I was planning on modifying the karma system but since it's going to disappear I'm not sure to still do it.
I was planning on modifying the karma system but since it's going to disappear I'm not sure to still do it.
Quote
Conversion of create_function's lambda style functions to true anonymous closures
SMF has a lot of create_function calls (over 200 in fact) and create_function is a particularly memory hungry function which cannot be optimised by bytecode caches and properly garbage collected. With the recent bump in PHP 5.3, we've decided to take this opportunity and convert all of them to true closures which will have much better support as well as proper support for garbage collection the moment it's out of scope.
This is a good decision and I am glad to see the team decided to go though with that minimal requirement and to do away with those create_functions. Imo it was rather obvious to what was causing those issues as the official PHP documentation clearly states the repercussion of using those in multiple and compounding at that.
All of the code related to PHP 5.5 compatibility for 2.0.7 was drawn from 2.1, most of which was written in 2012 by people who've long since left the team. If it was that obvious, would it not have been noticed sooner?
Good Job ^^
Really looking forward to 2.1 and reading about it.
Quote from: karlbenson on August 25, 2014, 06:40:46 AM
Really looking forward to 2.1 and reading about it.
Yeah, it looks like it's going to be really good. We're finally getting some long wanted improvements.
Hello! When wait 2.0.9?
When it is ready. The team are reviewing it and testing it and then it will be released once the team are satisfied with it.
couldn't resist...
Who let Antes in to the kitchen? 
My evil non-existent half brother.
Quote from: Arantor on September 24, 2014, 11:06:40 AM
Who let Antes in to the kitchen?
Check the rear door, do you think that's only for dogs
And you would come in via the dog's door? For shame.
Quote from: Arantor on September 24, 2014, 11:13:45 AM
And you would come in via the dog's door? For shame.
For emergency only... Mailman and things inside mailbox taking my whole time mostly... I sleep rest