[Mageia-dev] A comparison of forum software from a security POV
Romain d'Alverny
rdalverny at gmail.com
Mon Sep 27 10:02:02 CEST 2010
Hi,
On Mon, Sep 27, 2010 at 08:19, Tux99 <tux99-mga at uridium.org> wrote:
>
> I did a quick comparison of the most common forum software packages
> (both commercial and FOSS) from a vulnerability point of view.
>
> I'm subscribed to the well known (every sysadmin that takes his/her job
> seriously is subscribed to it) weekly SANS "@RISK: The Consensus
> Security Alert" newsletter since 2000, so I have an mbox archive file
> that contains almost 11 years worth of weekly alerts of software
> vulnerabilities.
>
> A quick an easy way that I have used before to assess the vulnerability
> of any software is to do a simple grep of the software name in this mbox
> file and count the times that software gets mentioned. While this is not
> 100% scientific it gives a good approximation of the amount of
> vulnerabilities a particular software has suffered from.
Indeed. It's interesting. But ranking only by the disclosed number of
vulnerabilities in the past does not assess what will be in the
future. It's not enough.
What would be an additional important figure is, how long has it been
for each vulnerability to be fixed; how many users each has had, etc.
Plus, what type of vulnerability. Plus, for what branch of the
software (I guess, for instance, phpBB 2.x and 3.x are a bit
different).
What we do need is a forum that matches our needs; actually pretty
basic, but maybe for having good admin features, excellent
hackability, extensability, being well documented, having a nice
community of developers around it. And, provided we're in the free
software thing, we want to be able to share changes as well (would it
be only through our own community) without worrying.
So, requirement #1: open source license (as in http://opensource.org/ ).
> [...]
> All I can say, I'm surprised that the official Mandriva forum (which
> uses phpBB) is still standing... :-)
Parts of it were heavily hacked back in the days. Still, yes, it's
sort of a miracle somehow. :-)
Romain
More information about the Mageia-dev
mailing list