new class - diff ?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: new class - diff ?

Post by code reader »

running the risk of making myself a nuisance (if i haven't achieved this status yet), i will try one more time:
1) of course the update happens on the server where the sources are. when i said "update server" i meant a central repository holding all the files (or database) required for the updates, and one file (or table in a database) containing information about the different updates, (versions, revisions, dependencies etc.).
2) i am aware that there is not "update server" today. however, if one wants to implement a "one click update", such a server will be required.
3) imho, when weighing the risks: having an update server, with the risk it might be hijacked, vs. having many many sites running out-of date code, i think the first risk is smaller and more maintainable.

the update process you describe, from the pov of the site admin, is as follows:
1) find out an update is available
2) open phpbb.com (or whatever), navigate to the location of the update, and download (this could be made easier if the "you are out of date" message will have a link directly to the download location)
3) unzip the files on local computer
4) using ftp, upload the file(s) to the host
5) using the browser, open the "install update" url on your site, and actually perform the update
6) remove the files uploaded in step (4)

the update i describe from the same pov is such:
1) find out an update is available
2) decide if/when you want to install it (maybe during a low activity period)
3) press the "install update now" button
4) answer some questions that the install process may ask.


it is my judgment that if the process will be closer to the way i describe it, the vast majority of the sites will install every update within a day or two of its release. it is my opinion that such a thing will do more towards enhancing phpbb security, both the real and the perceived, than any other thing you might do to improve it.

have a good one.
User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: new class - diff ?

Post by Acyd Burn »

code reader wrote: 1) of course the update happens on the server where the sources are. when i said "update server" i meant a central repository holding all the files (or database) required for the updates, and one file (or table in a database) containing information about the different updates, (versions, revisions, dependencies etc.).


sourceforge.net and phpbb.com. The package includes all updated files as well as those from the old revision. Within the ACP you are directly pointed to the correct file to download depending on the version you have. All calculations are happening on this set of files.
the update i describe from the same pov is such:
1) find out an update is available
2) decide if/when you want to install it (maybe during a low activity period)
3) press the "install update now" button
4) answer some questions that the install process may ask.


This is happening, but without the option of directly downloading the file and unpacking it. Since most people are used to upload files to their webspace i do not see a hinderance here. If we let the software itself download the package and do the uncompressing, putting everything into the store folder for later processing (no, the database will not be used due to the database update tool - you will never be sure if the connection also works after updating the files) - which is an option i considered:

- you will be directly faced with the: "yuo are hackin' me" attitude from users thinking we call home.
- you need to have a clean file base, making sure no old updates are lying around
- most importantly not all hosting provider support the necessary extensions (for example safe mode and basedir restrictions would make it impossible to create directories within the store folder).
- leaving update files within a storage folder only invites other people to exploit the installation through them. There is a reason why the board goes offline once the install folder is there.

Now a few reasons why the install folder has been chosen:
- The admin is able to decide when and how he wants to do the update
- The board will go offline during the update
- The admin needs to remove the install folder after the update - which makes sure the files get removed properly
- We can better control the amount of bandwidth used
it is my judgment that if the process will be closer to the way i describe it, the vast majority of the sites will install every update within a day or two of its release. it is my opinion that such a thing will do more towards enhancing phpbb security, both the real and the perceived, than any other thing you might do to improve it.


The update process is quite well explained, from the minute on you see the version notice within the ACP. The update process itself guides through the update and makes sure all files got updated.

And i may remind you that this subject is not for discussion - it has been decided that we won't incude a function that will download and extract update packages automatically, especially if an admin wants to control the "when" of the update.

Image
code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: new class - diff ?

Post by code reader »

Acyd Burn wrote: And i may remind you that this subject is not for discussion - it has been decided that we won't incude a function that will download and extract update packages automatically, especially if an admin wants to control the "when" of the update.
i respect that and i won't talk about it any more. just some clarifications:
1) i was not talking about "automatic update", i talked about a "single-click update". the admin still has full control of if and when to apply any update.
2) using remote files or remote database access, there is no need to create any local storage of update files at all. in other words, i was not talking about the software downloading and unzipping the files, i was talking about using remote files. so, the question about "leaving a set of old files lying aroud" is moot. of course, if the process chooses to create backup copies of local files before modifying them then such files will be "lying around", but this problem is exactly the same in "your way" and "my way", so however you choose to solve it, same solution apply.
3) there is no reason to stop supporting the "old" way of doing things, so anyone with a host that lacks any capability required for the "new" way will be no worse than they are now.

as i said, i understand that your decision is already made, and i won't return to this issue, i just wanted to clarify some points, because reading your response i wasn't sure you fully understood my suggestion.
Last edited by code reader on Tue Sep 05, 2006 5:50 pm, edited 1 time in total.
User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: new class - diff ?

Post by Acyd Burn »

in other words, i was not talking about the software downloading and unzipping the files, i was talking about using remote files.


Yes, i misunderstood this...

Image
Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: new class - diff ?

Post by Yawnster »

Can I clarify one thing about your plan.. Who is going to pay for the bandwidth on such a server? As phpBB is a non-profit organisation it does not have the resources to host such a service personally, I also do not see Sourceforge offering such a service..

This is one obstacle I see in the way of this, personally I think 1-click updates are great, but for this purpose I dont agree, phpBB.com has been compromised before, as has my site, as have other big names, it happens.. It may not be the phpBB's software that is at fault, but if such a compromise happens again and there is the kind of power available to do such a thing as send out updates to hundreds of thousands of installations.. Im scared. Also, I have never met Miek or any of the development or even any of the entire phpBB Staff.. I trust them enough to use their software and to trust their judgement, but I wouldnt like to grant them the kind of access you are suggesting just because its good practice not to..

I think its a great idea if the internet had no-one that intended to misuse it, but it does and with a feature like this its bound to raise some heads in certain circles..

Yawnster
Post Reply