Suit up!
Hello! Time for another update regarding our progress with 2.1.
Change in password hash
Passwords stored in the database are hashed. In the unlikely event that your database gets stolen and the passwords are leaked, the thief cannot see the actual password without cracking the hash. The hash protects the user's password being in plain sight to the attacker and helps protect their online identity on that site, as well as, potentially, other sites.
SMF has been using SHA-1 hash for its passwords from 1.1 to 2.0 and while SHA-1 still has no known weakness, it's a weak hash by today's standard and is susceptible to being cracked via brute force attacks. While this is still a hard task and would probably require GPU farms to be effective on a large scale, it's definitely a threat especially to passwords which are weak, commonly used and/or based on common dictionary words.
With 2.1 the entire hash has been switched to bcrypt. It's a far more secure and strong hash than SHA-1 and is a lot less susceptible to brute force attacks unlike SHA-1. Any forum upgrading from 2.0/1.1 will have their users' passwords upgraded to this hash once they login for the first time on the 2.1 forum and new users will automatically get the bcrypt password.
Likes and Mentions
SMF now has support for grabbing a user's attention simply by mentioning their name using the @username syntax, similar to popular social networking sites such as Facebook and Twitter. This action will send an alert and/or an e-mail depending upon the receiving user's preferences.
Likes also receive some additional features and improvements, with the ability to like a post via AJAX without having to refresh the page as well as permissions for membergroups to allow liking posts or not.
Minimum PHP version bump
With the additional improvements in password hashing as well as other improvements and advancements requiring the use of features such as closures, we've decided to bump the minimum version of PHP to 5.3.8 with 2.1. SMF 2.1 will not work with versions below that.
Conversion of create_function's lambda style functions to true anonymous closures
SMF has a lot of create_function calls (over 200 in fact) and create_function is a particularly memory hungry function which cannot be optimised by bytecode caches and properly garbage collected. With the recent bump in PHP 5.3, we've decided to take this opportunity and convert all of them to true closures which will have much better support as well as proper support for garbage collection the moment it's out of scope.
BoardIndex optimisation
The BoardIndex receives some love with improvements in the way it's queried, breaking the previously monstrous query into three smaller queries. Also, boards are now explicitly sorted by using a sort cache for all the DB types instead of using a rather inefficient ORDER BY clause for Postgres, SQLite. This also fixes random board ordering in MySQL 5.6+ without impacting the performance.
Karma's gone!
As decided in a poll before, we've completely removed karma which will in turn be made into a separate optional modification for SMF 2.1.
But wait! We've even more!
That's it for now
, thank you for reading. With every commit, we're nearing a Beta release with the hopes to get one out as soon as possible. As always, all the latest changes, everything I've listed here and more can be seen on our GitHub repository but please be careful, as it's in Alpha stages for now. Feel free to give it a spin but do not use it in a live/production environment, there may be bugs or we may unexpectedly change something which might put your forum into an unusable state.
Regards
Change in password hash
Passwords stored in the database are hashed. In the unlikely event that your database gets stolen and the passwords are leaked, the thief cannot see the actual password without cracking the hash. The hash protects the user's password being in plain sight to the attacker and helps protect their online identity on that site, as well as, potentially, other sites.
SMF has been using SHA-1 hash for its passwords from 1.1 to 2.0 and while SHA-1 still has no known weakness, it's a weak hash by today's standard and is susceptible to being cracked via brute force attacks. While this is still a hard task and would probably require GPU farms to be effective on a large scale, it's definitely a threat especially to passwords which are weak, commonly used and/or based on common dictionary words.
With 2.1 the entire hash has been switched to bcrypt. It's a far more secure and strong hash than SHA-1 and is a lot less susceptible to brute force attacks unlike SHA-1. Any forum upgrading from 2.0/1.1 will have their users' passwords upgraded to this hash once they login for the first time on the 2.1 forum and new users will automatically get the bcrypt password.
Likes and Mentions
SMF now has support for grabbing a user's attention simply by mentioning their name using the @username syntax, similar to popular social networking sites such as Facebook and Twitter. This action will send an alert and/or an e-mail depending upon the receiving user's preferences.
Likes also receive some additional features and improvements, with the ability to like a post via AJAX without having to refresh the page as well as permissions for membergroups to allow liking posts or not.
Minimum PHP version bump
With the additional improvements in password hashing as well as other improvements and advancements requiring the use of features such as closures, we've decided to bump the minimum version of PHP to 5.3.8 with 2.1. SMF 2.1 will not work with versions below that.
Conversion of create_function's lambda style functions to true anonymous closures
SMF has a lot of create_function calls (over 200 in fact) and create_function is a particularly memory hungry function which cannot be optimised by bytecode caches and properly garbage collected. With the recent bump in PHP 5.3, we've decided to take this opportunity and convert all of them to true closures which will have much better support as well as proper support for garbage collection the moment it's out of scope.
BoardIndex optimisation
The BoardIndex receives some love with improvements in the way it's queried, breaking the previously monstrous query into three smaller queries. Also, boards are now explicitly sorted by using a sort cache for all the DB types instead of using a rather inefficient ORDER BY clause for Postgres, SQLite. This also fixes random board ordering in MySQL 5.6+ without impacting the performance.
Karma's gone!
As decided in a poll before, we've completely removed karma which will in turn be made into a separate optional modification for SMF 2.1.
But wait! We've even more!
- Multiple improvements to the WIP Curve2 theme and its responsive aspect.
- Linktree automatically hides parent boards if they cannot be seen by the visiting member.
- jQuery has been updated to 1.11.
- Multiple bugfixes regarding undefined indexes, unexpected behaviours etc.
- And several other things I'm probably forgetting here...
That's it for now
, thank you for reading. With every commit, we're nearing a Beta release with the hopes to get one out as soon as possible. As always, all the latest changes, everything I've listed here and more can be seen on our GitHub repository but please be careful, as it's in Alpha stages for now. Feel free to give it a spin but do not use it in a live/production environment, there may be bugs or we may unexpectedly change something which might put your forum into an unusable state.Regards
Fantastic News~! Many "Thanks" to ALL involved. This is really exciting.
Those with the know-how
Thanks for posting this Dragooon.
*Meaning so they never show up on the forum interface at all.
Nice work, thanks for the update.
I have a question about the karma since I didn't followed it up.
Since it becomes a mod, will there be a replacement system and will the karma mod be maintained by SMF itself?
Ah, that's cool
Another annoying question: any idea's known about converting karma to likes, in that case? (for example positive karma becomes the current amount of positive likes and negative karma becomes the current amount of dislikes)
Cheers
I was planning on modifying the karma system but since it's going to disappear I'm not sure to still do it.
This is a good decision and I am glad to see the team decided to go though with that minimal requirement and to do away with those create_functions. Imo it was rather obvious to what was causing those issues as the official PHP documentation clearly states the repercussion of using those in multiple and compounding at that.
Yeah, it looks like it's going to be really good. We're finally getting some long wanted improvements.
couldn't resist...
Check the rear door, do you think that's only for dogs
For emergency only... Mailman and things inside mailbox taking my whole time mostly... I sleep rest