Wedge

Well, MD5's keyspace is theoretically 2^128 but vulnerabilities in the mathematics give it a collision window of 2^40 or so, while SHA1's keyspace is 2^160 with a collision window of 2^51. While that may not mean much to most people, what it really means is that both are vulnerable for really sensitive stuff, and that it's still an order of complexity more to be able to collide SHA1 hashes.

From what's required here, even an MD5 on its own would probably be OK, and that for password hashing nothing less than SHA1 should be used (though that's a separate discussion in itself)

Mind you, while we're on the subject we might as well tackle it. SMF and Wedge (and most other forums) use a hash based on username and password, combined together then hashed for comparison purposes. SMF and Wedge also score slightly higher than most other forums by sending a user's password to the server hashed if possible. Anyway, the hash used in both cases is SHA1, and changing it has large consequences.

The biggest one, really, is about conversions, where users from all other environments (including Wedge itself during migration) would have to re-enter their password. If you're coming from a system with weaker protection, no harm, no foul, you get upgraded anyway. But if you're coming from SMF or similar, you will still have that extra step which may be off-putting to users.

In all other respects about performance, the effort of using something like SHA256 (SHA-2) in place of SHA1 is no big deal, it doesn't even require a schema change in the database because the column has been declared as varchar(64) for ages.

The one thing I do want to mention is what phpBB and WP do (when using portable hashes, anyway), you take the username and password and md5 it repeatedly, making it harder to find a brute force match. I do not like that method, I'm really not convinced it's a security benefit. But I can believe that it might be if you're only working off the username and trying to match the hash through the same process (though I can also believe there are rainbow tables for that too)

Well, of the three options as I see it, the last one is the only sane way to do it, other than putting a ton of crap in the DB and pushing it out to cache files periodically (which is sluggish and horribly inefficient, and not really any more safe) but it's still a lot of work and I'm not sure how reliable it'll be.

The point of using MD5 is to give you something reasonably unique, without being overly long and adding the video ID gives you sufficient uniqueness that it should work fine.

Hmm, interesting... in fact it's more than that because even in other modes it indicates that multiple responses were sent.

I edited the post to remove full paths; while it's not likely to be a major deal, we do prefer it strongly if people only paste the relevant parts of paths.

It is very likely that Nao is currently work on it hence the errors.

Shouldn't it do that on re-calling .sb() anyway? I've never seen a problem with it misbehaving when calling .sb()...

Just to provide a bit detail.

The calendar is a plugin in its own right, it's not part of one, it is one. I also made birthday support (sending birthday emails, upcoming birthdays on the board index) a separate plugin, meaning that you can have birthday greetings without the weight of the full calendar, or you can have both, both are specifically designed to interoperate cleanly.

It depends what you mean by 'portal', also. A front page is really only a small part of what the portals offer. There is a front page in Wedge but it's very minimalist and there are no editing/configuration facilities for it at this time, and there is a sidebar by default in Wedge - again, there are no editing or configuration facilities for them. It is not clear at this time whether we will make these things more configurable by default or not, but I suspect we won't put it in the core as it seems to work well enough for most people.As already mentioned, Aeva Media is included by default, however it would be no more difficult than it would be for SMF, and in some ways quite a bit easier. The biggest problem is including the style from Wedge because Wedge doesn't use standard CSS files but LESS-type syntax which it auto-compiles, minifies and optionally compresses for better performance, but it really depends on what you're trying to do as to whether this is a good idea or not.

We may in the future look at an importer from Coppermine into Wedge.