[RFC] Automated Updating

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
User avatar
Meis2M
Registered User
Posts: 411
Joined: Fri Apr 23, 2010 10:18 am
Contact:

Re: [RFC] Automated Updating

Post by Meis2M » Thu Jun 14, 2012 4:18 pm

very lovely
+1

Senky
Extension Customisations
Extension Customisations
Posts: 283
Joined: Thu Jul 16, 2009 4:41 pm

Re: [RFC] Automated Updating

Post by Senky » Thu Jun 14, 2012 5:31 pm

bantu wrote:Automatic updates can only happen if release packages are cryptographically signed and phpBB is able to verify the signature. This is currently not the case.
And what is the problem in here?

Does anybody know how Wordpress manages that?

User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] Automated Updating

Post by naderman » Thu Jun 14, 2012 6:43 pm

Wordpress does not do that which leads to problems like: http://blog.unmaskparasites.com/2012/05 ... s-updates/

User avatar
nextgen
Registered User
Posts: 128
Joined: Sat Jul 24, 2010 4:59 am
Location: Guatemala
Contact:

Re: [RFC] Automated Updating

Post by nextgen » Thu Jun 14, 2012 11:10 pm

naderman wrote:Wordpress does not do that which leads to problems like: http://blog.unmaskparasites.com/2012/05 ... s-updates/
+1
*Imagine a signature super spectacular.*

User avatar
brunoais
Registered User
Posts: 958
Joined: Fri Dec 18, 2009 3:55 pm

Re: [RFC] Automated Updating

Post by brunoais » Fri Jun 15, 2012 10:34 am

The problem is that, with automatic updates, if things aren't made in a very secured way, there can be security breaches in the system. Attacks like man-in-the-middle are really a big problem here.

User avatar
Erik Frèrejean Online
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [RFC] Automated Updating

Post by Erik Frèrejean » Fri Jun 15, 2012 10:47 am

How are update problems being handled?
How are the files going to be written?
How is the update going to be verified whether it was successful?

I'm -1 on background updates, the system could automatically prepare the update, but the actual update should always be triggered by the user.
Available on .com
Support Toolkit developer

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [RFC] Automated Updating

Post by MartinTruckenbrodt » Sun Jun 17, 2012 6:15 pm

Hello,
how this feature should work on a well modified board?

If it is working like AutoMOD or Extensions Manager then use use only on engine for both things. And use one format for core updates and MODs and extensions.
I thin replace-with actions are the biggest problem for all engines. Forbid replace-with actions. If a replace-wth action is needed then just remark the code which needs to be replaced. And add the new code before or above.

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Automated Updating

Post by imkingdavid » Sun Jun 17, 2012 8:18 pm

MartinTruckenbrodt wrote:Hello,
how this feature should work on a well modified board?

If it is working like AutoMOD or Extensions Manager then use use only on engine for both things. And use one format for core updates and MODs and extensions.
I thin replace-with actions are the biggest problem for all engines. Forbid replace-with actions. If a replace-wth action is needed then just remark the code which needs to be replaced. And add the new code before or above.

Bye Martin
For board updates, it does not make sense to comment out code that is being replaced, as that just creates a bunch of commented out code for no reason, cluttering the core.

For extensions, there are no code edits so replace-with actions are irrelevant.

The fact that board updates require code edits and extensions don't means that having the same engine for both is not an option.

Anyway, what is currently keeping us from being able to implement something like this? I understand that we need to extensively test any system before it is deployed to ensure nothing happens like what happened to WP.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Automated Updating

Post by Oleg » Sun Jun 17, 2012 8:22 pm

You need to implement crypto verification on the board side.

But, if a board is compromised, the code can replace keys/certificates as easily as it can replace any other files. I'm not convinced that an update from a compromised board is possible at all. Certainly anyone who cares about security should use external mechanisms for updates, especially for updates from compromised boards.

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [RFC] Automated Updating

Post by MartinTruckenbrodt » Sun Jun 17, 2012 8:37 pm

Hello David,
it was just a reflection of my long-time MOD author experience. MODs having a lot of replace-with actions are resulting most of problems with phpBB update using the automated update packages. Sometimes a lot of code is destroyed by this. I know how to repair it. But webmasters without the needed skills have big trouble.
Sometimes it's not possible to replace replace-with actions. This is the reason for my suggestion.

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

Post Reply