[Mageia-dev] A comparison of forum software from a security POV

Michael Scherer misc at zarb.org
Mon Sep 27 12:40:19 CEST 2010

Le lundi 27 septembre 2010 à 10:02 +0200, Romain d'Alverny a écrit :

> What we do need is a forum that matches our needs; actually pretty
> basic, but maybe for having good admin features, excellent
> hackability, extensability, being well documented, having a nice
> community of developers around it. And, provided we're in the free
> software thing, we want to be able to share changes as well (would it
> be only through our own community) without worrying.
> So, requirement #1: open source license (as in http://opensource.org/ ).


I think we should compile a list of requirements first , and them use
this to select possibilities.

So let's try : 

good admin features 
-> lock down thread
-> move thread between forum
-> accountability of such changes, at least for admin
-> transparency of who manage what

hackability / extensibility
-> support for extension ?
--> a good ecosystem of extension ?
-> written in a know language
-> well written
--> use existing and well know framework/modules ( ie, not a custom one
of possible )

being well documented
-> good user documentation
--> translated documentation
--> clear documentation ( screen shot ? )
-> community around it
--> well know by people

free license
-> AGPL would be a plus, but that's just for me :)

as a sysadmin, i would add :

-> not full of security holes
--> have a good history

-> good reactivity of developers
--> proper bug tracker ( ie, not a forum )
--> good history , seen by looking at BTS

-> do not have excessive requirements
--> do not use too exotic database system like voldemort or hbase
--> do not requires too exotic language ( erlang, fortran )
--> do not requires a very specific version of component
--> do not requires too much unpackaged stuff
--> portable across databases ( ie, if someday, mysql is killed, we
could change to a clone or to pgsql )

-> not a ressources hog ( like use a db instead of flat file )
--> able to manage a lot of users, and lots of post
--> set indexes on the db (a proof that developers thought of it )
--> scalable ( can it be shard, or clusterised ? )

-> do not produce horrible html
--> if possible, produce html compliant pages and css

-> could work without javascript, even if this requires to disable more
advanced features ( some people disable it for various reasons like
security, etc ).

-> do not requires flash to work

With my jabberfr member hat on :

-> good xmpp integration
--> take care of xmpp link
--> offer jabber in vcard
--> can send message on jabber instead of mail

/me remove the hat

as a user :
-> a effective antispam
--> if possible, no captcha, or at least, one that do not weed me out

-> something that do not mark a thread as read if I simply visit the
-> a link "last posts" for the whole forum
-> a link "last posts" for just a forum
-> having more information when I receive a mail when someone answered. 
   Ie more like "foo has responded this" more than "someone said  
   something, click here to see" 

-> efficient search engine
--> do not forbid 3 letters search ( because acronyms are everywhere )

-> easy to manage from command line, so we can script various thing
( like removal of inactive account, etc, etc )

-> integrated with sso. this one can be quite tricky to realize, as
romain will tell you.

I assume that others users will have others requirements ( like custom
smiley, rich text edition, ml integration, etc ). I remember of a thread
about using forum like a ticket system. Ie, how could the support be
improved by changing the process and the forum ?

I also assume that some requirement are more important than others. Ie,
there is MUST and there is MAY, like in RFC.

So let's first gather requirements, then we will decide on what is
really important or not. 

Michael Scherer

More information about the Mageia-dev mailing list