[Mageia-sysadm] [forums-discuss] Re: updating sysadmin privileges in forum config

Michael Scherer misc at zarb.org
Sat Mar 24 14:45:34 CET 2012 

Le samedi 24 mars 2012 à 12:48 +0100, Wolfgang Bornath a écrit :
> 2012/3/24 Michael Scherer <misc at zarb.org>:
> > Le jeudi 22 mars 2012 à 08:18 +0100, Wolfgang Bornath a écrit :
> >
> >> He is talking about the update of the forum software phpBB3. The
> >> version used at Mageia is outdated since summer 2011. New versions of
> >> phpBB3 almost always are caused by security issues. This has been
> >> mentioned several times in the forum threads. The point is that the
> >> implementation of the forum software at Mageia (involving puppet,
> >> etc.) was done this way to "ease forum software maintenance" (quoting
> >> maât). :)
> >
> > Strictly speaking, what would have really helped the maintenance would
> > have been to use :
> > - a forum properly packaged, not one requiring specific deployment
> > process like the current setup we have. Packages solved part of the
> > problem since 15 years, maybe it would be a good moment to start using
> > them.
> > - a forum that do not requires to patch it for adding features
> > - a forum that do not requires update on a regular basis.
> 
>  - I know not much about packaging (just the essentials). 

I know packaging, and more than "the essentials", I also know system
administration, and also more the essential, partly because that's my
job.

> But I doubt
> there would be benefits by having a package for the forum software.
> Quite to the contrary, a simple change of a character in one of the
> php files would cause the need of an update of the whole package,
> while as is you just need to exchange this one php file. If there
> would be a benefit I guess there would have been phpBB packages for
> years, phpBB being the most popular forum software, not only in the
> Linux world. Ok, a weak point, I admit.

The point is indeed weak.

For the start, having a package would ease the testing, since right now,
people just have no clue on how to replicate our setup. There is the
puppet manifests, but I take for granted that the intersection of those
that know how to use them and those interested into testing phpbb is
near 0.

Second part of having a package is that it would benefit to others if in
the distribution. It would also ease the management of version by the QA
( cause if stuff is really important, you want to have it checked before
it goes live ).

Another idea is to detect when there is change in the php files, by
using the rpm -V feature. That's quite handy when there is a problem
( again speaking of experience ).

And having a rpm in the distribution also mean that we can benefit from
the whole framework on making sure this is up to date, making sure that
basic quality is respected, etc. Something that is far from being the
case with a random zip taken from the web, especially from php software.
And I do not even talk of more complex security system like tomoyo or
selinux.

It also mean that the packager is following the update policy, which is
here to prevent unwanted breakage by minimizing changes.

A package also mean we know what we can remove from the server, or what
we need. If we say "phpbb need php-zip", we know that the 2nd need to
have a packager, or we are in trouble. 

If we wanted to use slackware-style package on our servers, we would
have done so.


Oh, and there is package for phpbb in debian. So the lack of package in
mageia just show that no one is interested into it, and show there isn't
much correlation about what users would want and what people are
interested to do.


>  - How would you implement requested features which are not available
> in the forum software other than by "MODs" (which is the same as a
> patch?

Usually, with well designed software, that work with plugins. Of course,
with some stuff, that goes by "let's duplicate the source code and deal
with merging source code update". There is ton of example of why this is
wrong ( search "technical debt" on a search engine for lots of articles
on the topic ), hence the need to use a software properly designed, and
to stay in a well designed process.

For example, bugzilla has a rather clean API in the version 4.0.
Firefox, evolution, kde, all can be extended because they were designed
this way.

In fact, every single software that we can consider extendable in the
world has some form of plugin system, . Except for some web application,
because people are too impatient or too enthusiast to do stuff more
slowly and properly, because it take time to design a proper API.

And that's not because others application are harder to edit. There is
lots of python, ruby and perl application out there that are no more
harder to edit in place than php. And yet, coders usually add extensions
system rather than telling "just edit the file and that's it". 

We did take the "let's patch bugzilla to death" during the mandrake era.
This ended with a outdated bugzilla. 

And frankly, the whole idea of mod is a sign that phpbb is not suitable
out of the box, as I said in the past. So while maybe the others are not
either, that's still a signal that something is wrong.

>  - every php based forum software I know (I think I know almost all of
> them at least from testing) gets regular updates from upstream. Most
> of the changes between versions are not added functionalities or nicer
> looks (where implementing an update could be a matter of discussions)
> but needed bug fixes and even more needed security fixes. That's why
> updates are unavoidable and should be done in due time. If you know a
> forum software with equal functionality and which does not require
> such updates, great, let's have it!

I never said that update should not be done in due time. But the fact
that you need to patch the software is a clear blocker for doing
upgrade. There is unit test in place in phpbb to ease everything, but I
doubt that coders who know how to write tests would be ok with the whole
"patching the code" style of extensions.

And that's also a point for having a package in the distribution, where
we have a proper process for upgrade. There is nothing more special
about the forum software than for the rest of the system that would
warrant being treated differently.

> > We are open to discuss patches or even constructive comments to the
> > puppet setup, but it seems that no one sent anything at all. I have
> > justified everything we did, and the reason for not having a free for
> > all system due to privacy and security requirements that I explained
> > enough to not repeat myself.
> 
> Exactly these (privacy & security) are the reasons for forum software
> updates. To me the current implementation was explained as a way to
> ease maintenance. 

Easing doesn't mean "give a magical wand to do upgrade". If no one do
it, it just doesn't happen. 

> That's why I (and others) asked in the forum why
> needed updates were not installed. I asked this in the forum because
> for a forum user the forum admin is the right person to contact, not
> any other group or person, not any other platform.

There is what people may think regarding who to contact, and the
reality. If the 2 doesn't match, that's usually the reality that win.

> > I either didn't see any pull request of patch to upgrade the forum in
> > git, nor any request to have write access to the aforementioned git by
> > anyone. While I can imagine that puppet, despite being dead easy and
> > very well documented, is too complex for a hobbyist sysadmin, I do not
> > think that git is a so obscure and unknown technology that no one ever
> > tried to do anything with it.
> 
> Maintaining the forum (implementing modifications, updates or starting
> these by creating a bug report or whatever needed) is the most
> prominent task of the forum admin, there's not much else for him to
> do. It is not the user's job to care for such things. Maât himself
> even explained the workflow once in the forum, so he knew exactly what
> to do. So, if you blame somebody about missing requests or whatever,
> pls knock on the right door.

>From my point of view, everybody can open a bug report or send patches.
No one did, and you can say as much as you want "this is not my fault",
that will not change anything nor retroactively make bug reports appear.

I would add that if people have a pretension to become admin or
anything, they should at least attempt to act as such. Ie, sending
patchs, etc.

The last "git push" is not harder than "git send-email".

> > Also, it seemed obvious to me that security issues should be treated
> > like the rest of the issues, on bugzilla and not on forums. I still see
> > no bug opened for that on the bug tracker.
> 
> You're right, it's no topic for forum discussions. If updates are
> available upstream, the admin should open a bugreport, adding an
> "important" tag to ensure that it is done in due time. This was never
> done.
> 
> Summary: this discussion only started because somebody did not do his
> job (whatever reason). Hopefully exchanging people on the relevant
> position will improve the situation.

No, the discussion started because no one did the job. We are not
Mandriva, there is not "someone is in charge so I do nothing" bullshit
state of mind with the company and the rest of the world separation. The
system is open enough that someone skilled enough and motivated enough
can do most of the job, except the last step. 

If people were really concerned on contributing instead of speaking how
they would want to do something or how others didn't do what they
wanted, they would have done something.

-- 
Michael Scherer

More information about the Mageia-sysadm mailing list