[RFC|Accepted] Symfony 2

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC] Symfony 2

Post by naderman »

rschumacher wrote:
1. Security - Security is a big issue, we don't want more security problems in 4.x than 3.x.
While I don't know in detail the specific security issues experienced in phpBB versions up to now, I can say that Symfony has implemented a comprehensive security-aware construction in many ways, and that the needed functionalities are included while not bothering you directly in your task to develop your application. Just two examples which do not need really much ado by the developer (you may still care more about it according to your situation): user authentication and credentials on modules and actions level, detailed parameter filtering and checking in form submissions, and much more. As this is a critical part you may need to get more sophisticated support by the Symfony core team on that. But I feel confident about Symfony's reliance on this respect.

Especially when thinking about security problems that reportedly appeared repeatedly in phpBB3 (if I didn't misunderstand).
He was actually pointing out that phpBB3 has really managed to turn phpBB around in that regard. phpBB2 suffered from a lot of security problems, but phpBB3 has not had any serious exploits published since its stable release in December of 2007. So basically we do not want to go a step back here. However based on what I know about Symfony, I have to absolutely agree that it offers all the tools, and really pays a lot of attention to people developing secure applications. One aspect I really liked was that the tutorial for learning symfony 1 actually explained those security related aspects, rather than leaving them out because they are too complex for beginners. This is also an approach that is important to phpBB, we try to educate MOD authors in security matters wherever possible.

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [RFC] Symfony 2

Post by EXreaction »

I am still not sure what you guys are talking about when you say "plugins". There are many different forms that plugins can be made, and many forms that people call "plugins" but are not usable on a wide scale and can suffer from conflicts. Some people call the ability to replace a built in function entirely with their own a "plugin" (which alone is just as bad, if not worse than manual code edits).
ameeck wrote:We have already defined an update mechanism for necessary security updates which could be present in phpBB or in third party products.
Yes, we do, but that is still an imperfect system. What if we release one of our normal updates, then, shortly after, one of the frameworks we use releases an important update with security fixes, and shortly after that, another one of the frameworks we use releases an important update with security fixes, etc, etc. I imagine we'll have more than just Symfony in use (I would assume we will be using Zend and EZ Components code for at least their search system as that's what naderman has recommended to me). We do not want to have multiple updates a month.
ameeck wrote:Besides Symfony 2 is a mature product which has learned a lot from previous version and I believe security concerns in the basic low-level functions it's provide is covered.
Symfony 2 lists a preview release, which doesn't tell me that it is a mature product.
ameeck wrote:As for the complexity of the code, I think it will actually be a step in the other way. At this moment, 95% of the available phpBB MODs need to hack into the system and manually hook into the code. The code suffers from worse legibility and is often prone to overlooking errors.
Editing the code manually is as in-complex as it can be. Other problems with editing the code are not relevant to complexity except for testing (which yes, unit tests would be good for, but it is something that needs to be easy if we want authors to have unit tests).

Knowing OOP is one thing, but it's completely different to be required to learn what hundreds of new functions do in a framework if we rely on one too heavily. Many people had trouble with the 2.0 to 3.0 transition for modding, which was relatively small in how things changed compared to the change to real OOP. Using a framework is not necessarily a bad thing, but there is the difference between using one and relying on one (for example, if we were to use an existing framework for sending emails, we should have our own wrapper for it at the least and not call some_emailer_library::send_message($to, $from, ...) from our own code anywhere other than in our wrapper.
rschumacher wrote:Especially when thinking about security problems that reportedly appeared repeatedly in phpBB3 (if I didn't misunderstand).
As naderman said, we've had virtually no security problems since our gold release (IIRC, the biggest one was where attachments in PMs did not check if you were the sender or receiver before allowing you to download, which is rather insignificant IMO). Pretty much any security fix in anything is going to be more severe than what we've had.

Stefan Koopmanschap
Registered User
Posts: 247
Joined: Sun Oct 28, 2001 9:47 am
Location: utrecht, the netherlands
Contact:

Re: [RFC] Symfony 2

Post by Stefan Koopmanschap »

Hey phpBB community,

It has been a long time since I logged in here (I haven't checked, but it must've been years). I've had great years here at phpBB back in the days of phpBB2 as a user, Support Team Member and Support Team Leader, and even though I have moved on since, phpBB and its community still have a special place in my heart.

When I first heard of the possibility of phpBB moving towards Symfony some weeks ago, my heart skipped a beat. This was great news! Of course, nothing is set in stone yet, but truely it would be a great move. Let me try to give you some reasons why it would be a good idea to rebuild phpBB on top of Symfony, and let try to offer some response to those with specific fears.

Don't reinvent the wheel
Using an existing open source framework for any web application is a good idea. The framework will take a lot of work out of the hands of the developers, allowing the developers of phpBB to focus specifically on the forum functionality they want to implement. This will allow for better code (since they can focus just on the interesting stuff), less code to maintain (since the framework contains a lot of the generic functionality) and also a faster release (because less code has to be written). Most frameworks and specifically Symfony focus on implementing the best practices of (web) development, and promote the same for code written on top of Symfony in projects. Result: Better, more understandable and extendable code which runs faster. For those that don't know a lot about technology: What this basically means for end-users: You will have a discussion forum that has little bugs, little security issues, that will allow you to have plugins/MODs without the need to edit specific files or the chance that an automatic installation fails because it can not correctly edit files.

Benefit from the existing Symfony community
Adopting Symfony as the basis for phpBB4 would mean you can tap into the power of the existing Symfony community. This has a lot of benefits. The most important one is that the basis of the phpBB4 code would be maintained by the Symfony community, not the phpBB4 developers. This is not meant as a stab towards the phpBB development team, because they're doing an awesome job. This simply means that there is more time for the phpBB development team to focus on their code. The framework itself will be maintained elsewhere, and the phpBB development team can simply pull in new fixes and new features and immediately make use of them for phpBB. Obviously, this also means that phpBB developers can, if they want to, contribute things to Symfony (the benefit goes both ways :) ).

Another benefit the phpBB community will get from using Symfony is the fact that the target audience will be much bigger all of a sudden. And since the majority of the Symfony community are developers, this means there is all of a sudden a huge group of developers available that might be interested in helping out with the development of phpBB itself or one of the many MODs. This will mean more help for the phpBB developers, both the official team and the community developers that contribute.

Opening up a new market
phpBB has been serving a huge market of online forums for all of its life. Whether it was a small local community forum or a huge million-user forum, phpBB was there. But one market has seen very little coverage by phpBB: The enterprise market. This is a market that has traditionally been for Java, .NET and similar languages but has recently been moving towards PHP more and more. So far, the market has been mostly for custom PHP framework development, especially Zend Framework, Symfony and such. And this is the market phpBB could step into. By having phpBB be based on such an enterprise-level framework, it will make it much easier for developers working with such a framework to integrate phpBB into their software. Now, the enterprise market values quality of quantity/speed usually, so this might make the quality of the phpBB code even better.

Extending phpBB with symfony code
Symfony has an extensive database of plugins, similar to phpBB MODs. If phpBB would adopt Symfony, then these plugins would all of a sudden available to users of phpBB. With a simple installation system this will make it very easy to start using this functionality.

Hard to learn?
I've seen mentions of people fearing Symfony is hard to learn. Symfony is known for its great documentation. Both for people new to Symfony and for people that already have some experience with Symfony. Also, Symfony 2, which would be the basis of phpBB4, is much easier to learn than symfony 1.*. Yes, for people not used to frameworks, it might take a bit of effort to learn. But these same people have taken the effort to learn the phpBB API. I would dare say that the Symfony API will be much easier to learn, and the documentation for it is better.

Distribution problems?
Distribution for Symfony is very easy. For symfony 1.*, there are several open source packages available that offer a symfony plugin (for usage in symfony projects) as well as a stand alone package. And with the newer versions of symfony 1.*, it is even possible to offer a simple installer. Symfony 2 will simpify this even more, as it will be even more flexible for the distribution of either plugins (called Bundles in Symfony 2) or stand alone packages. So there is no reason about the ease of the distribution.

Security
Symfony has only seen one or two security releases so far. Because Sensio, the company that is backing Symfony, is mostly delivering to the enterprise world, security is a big focus for their development. This means that the framework they use for their projects will have a huge focus for security issues. The releases I've mentioned so far were not even about security vulnerabilities inside the Symfony code itself, but about external libraries that are bundled with Symfony. Even if something might pop up, the Symfony team is very quick to respond to such issues and make a new release for it.

Concluding
I hope this offers enough information to you. If there are any more questions, I am more than happy to answer any of them, or point you to the answers if they have been given already somewhere else.

Full Disclosure
As mentioned before I used to be a part of the phpBB team as Support Team Member and Support Team Leader. At this moment, I am a member of the symfony team as the Symfony Community Manager.

User avatar
Handyman
Registered User
Posts: 522
Joined: Thu Feb 03, 2005 5:09 am
Location: Where no man has gone before!
Contact:

Re: [RFC] Symfony 2

Post by Handyman »

@Stefan, Great to hear from you again and Congratulations on Symfony Community Manager :)

I'm also very excited about the move to Smyfony 2 as the framework for phpBB4 for all the reasons mentioned above, but I had to post since usually people who don't like something are the ones being the squeeky wheels ;)
I was a bit saddened when I first heard the news because I really don't like how Symfony 1 is coded - but I also didn't like phpBB2 - all things must get better if they have a good team to make it happen.
As everybody knows, phpBB3 was a major step up from phpBB2 and I hope nothing less for phpBB4.
In the case of Symfony 2, I feel it is happening the same way; from the slideshows posted, it's certainly really improved and from the Blog Post by Naderman, it fits all the goals set for phpBB4.

As far as the releases go, there are a lot of products out there that have to deal with softwares they rely on upgrading or having bugs and they handle it, usually with flying colours. So that said, there's really no reason we shouldn't be able to do that for phpBB4, and if we find any problems with Synfony, we could even send patches their way if needed.

So I don't see any reason why we shouldn't use Symfony 2 for phpBB4 - time to outsource the wheel so we can focus on the car (instead of reinventing the wheel while working on the car) :)
My phpBB3 Mods || My Mod Queue
Search Engine Friendly (SEO) URLs || Profile link on Avatar and/or Username || AJAX Chat
Display Posts Anywhere || CashMod || AJAX Quick Edit || AJAX Quick Reply

Image

rma-web
Registered User
Posts: 11
Joined: Sat Jan 16, 2010 1:27 am

Re: [RFC] Symfony 2

Post by rma-web »

I also think Symfony 2 would be great to use for the phpBB4 project, for all of the reasons listed above, and taking a look at the tutorials they have on their website.

Mod authors need to learn how phpbb3 works to create mods for that, so I dont see a difference between that and learning how symfony 2 works. Besides, its not like phpbb4 will be released in a couple months, so you have plenty of time to look at the documentation of Symfony to learn about it.

The update issue could also be nulled if phpbb4 uses an update system like, (but with its own capabilities), the wordpress updater. If you use the framework and just "extend" it with phpbb features, and leave the code in the framework library alone, then I dont see it being a problem for phpbb developers to create release updates for phpbb and just have an automatic updater take care of the code changes for you, like Automod takes care of the code changes for mods. This should make it as easy as possible for admins, and then if all you have to do is click the update button in the ACP, who cares how many times a month you have to do it?

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: [RFC] Symfony 2

Post by A_Jelly_Doughnut »

Stefan Koopmanschap wrote: [snip]
I wasn't exactly a frame-work oriented guy. Then I started doing some things with C# and my mind was changed (although the idiosyncrasies of .NET annoy me from time to time).

Provided that a solid framework exists, I see no reason not to use it. Five years ago, I'm not sure there was such a framework (except for the one provided with PHP's built-in functions). Now, with PHP 5.3 adding namespaces, a new generation of more sophisticated frameworks is possible. So far as I know, Symfony is the only one to produce a completely 5.3 framework as of this time. I think some others are expected later this year. Its an interesting time to be a PHP developer.
A_Jelly_Doughnut

User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC] Symfony 2

Post by MichaelC »

I personally don't like the idea of basing phpBB 4 on Symphony, even if it does get more developers in, it will kick out a fair number of the old MOD and Style Developers.

I think basing it on a framework made by phpBB would suit it better.
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.

User avatar
ameeck
Registered User
Posts: 86
Joined: Sun Nov 13, 2005 6:43 pm
Location: Prague, Czech Republic
Contact:

Re: [RFC] Symfony 2

Post by ameeck »

Unknown Bliss wrote:I personally don't like the idea of basing phpBB 4 on Symphony, even if it does get more developers in, it will kick out a fair number of the old MOD and Style Developers.

I think basing it on a framework made by phpBB would suit it better.
Why do you think it should kick out so many MOD and style authors?
Please think before you post.

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [RFC] Symfony 2

Post by ToonArmy »

Unknown Bliss wrote:I think basing it on a framework made by phpBB would suit it better.
You want us to not use Symfony and use our own framework, well in the end it'll end up being designed very similar to Symfony, Zend, etc. just we'll be reinventing the wheel.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

rma-web
Registered User
Posts: 11
Joined: Sat Jan 16, 2010 1:27 am

Re: [RFC] Symfony 2

Post by rma-web »

I dont understand why people think that using Symfony or any other library will be a problem for mod authors and stylers. I have high confidence that the phpbb team will maintain great documentation for phpbb4, and since naderman said he wants the community to be involved in the project, there will probably be plenty of tutorials on how to author a mod/style when phpbb4 gold is out. Everyone had to learn how to use v3 since it wasnt the same as v2, so whats the problem with learning v4? Its still a long way out, so anybody who is interested in developing mods/styles has plenty of time to look at the Symfony 2 website's getting started tutorials. They have a Quick Tour http://symfony-reloaded.org/quick-tour-part-1 which didnt take me long to get to the end of, so people complaining of how much time it would take to learn the new software have ground to stand on. Also, if you watch the development of the project via git, then you will be learning that way too, how the project is structured and oriented.

Post Reply