Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - Arantor
6646
The Pub / Re: Wedge financial support
« on August 22nd, 2011, 10:46 AM »
If and when we go down the road of financial support, that's where I suspect we'll go first.
6647
The Pub / Re: Wedge financial support
« on August 22nd, 2011, 09:00 AM »I really wouldn't consider the SMF Charter program a form of donation acceptance.
A donation is a form of presenting a gift or contribution without the expectation of receiving something in return. Other than some form of acknowledgement, if desired, nothing else should be expected from the result of donating.
6648
The Pub / Re: Copyrights
« on August 22nd, 2011, 08:58 AM »
Yes, but we don't actually say anywhere that the file applies...
6649
The Pub / Copyrights
« on August 22nd, 2011, 02:40 AM »
I bumped into http://www.simplemachines.org/community/index.php?topic=447676.0 today, makes interesting reading.
Now, we haven't reproduced that header in every file. Apart from the fact it's bloaty, I'm not convinced we need it in full like that, but I DO get the impression that our current header will be seen as bending[1] the rules of the licence, which says:Quote Meanwhile our header is:
Code: [Select]
Note that while we mention SMF 2.0 in the credits page, our licence document (even the one on wedge.org) doesn't and nowhere do we actually credit their copyright, so on strict letter of the licence, we're not compliant. I know it's petty, and I'd like to think they wouldn't kick off about it, but I think it's clear they probably would and I'm not sure I'd call them wrong for it on this one.
We don't need to have vbgamer's full verbosity:
Code: [Select]
But I think we can suitably get away with it thus:
Code: [Select]
One extra line in the header per file and then we're acknowledging their copyright and their licence. Thoughts?
Now, we haven't reproduced that header in every file. Apart from the fact it's bloaty, I'm not convinced we need it in full like that, but I DO get the impression that our current header will be seen as bending[1] the rules of the licence, which says:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimers.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution.
/**
* @package wedge
* @copyright 2010-2011 Wedgeward, wedge.org
* @license http://wedge.org/license/
*
* @version 0.1
*/Note that while we mention SMF 2.0 in the credits page, our licence document (even the one on wedge.org) doesn't and nowhere do we actually credit their copyright, so on strict letter of the licence, we're not compliant. I know it's petty, and I'd like to think they wouldn't kick off about it, but I think it's clear they probably would and I'm not sure I'd call them wrong for it on this one.
We don't need to have vbgamer's full verbosity:
/**
* ezForum http://www.ezforum.com
* Copyright 2011 ezForum
* License: BSD
*
* Based on:
* Simple Machines Forum (SMF)
*
* @package SMF
* @author Simple Machines http://www.simplemachines.org
* @copyright 2011 Simple Machines
* @license http://www.simplemachines.org/about/smf/license.php BSD
*
* @version 2.0
*/But I think we can suitably get away with it thus:
/**
* @package wedge
* @copyright 2010-2011 Wedgeward, wedge.org
* @license http://wedge.org/license/
* @copyright Portions: SMF 2.0 courtesy of [url=http://www.simplemachines.org]www.simplemachines.org[/url] under the New BSD licence (http://www.simplemachines.org/about/smf/license.php)
*
* @version 0.1
*/One extra line in the header per file and then we're acknowledging their copyright and their licence. Thoughts?
| 1. | Or breaking them entirely, but I'm ever the optimist here. |
6650
Features / Re: Login with eMail instead of username
« on August 22nd, 2011, 01:30 AM »
That's the thing. I've worked professionally in the past with various helpdesk systems, with intranet/extranet tools, financial infrastructure systems as part of my former career in financial services - and of all the web based tools I used, even those where multiple firms had login details to the one system (think credit reporting systems), even those did not have email address, but username, logins.
In fact, of all the services I have used and continue to currently use that have the 'professional' mentality attached, more of the services I use do not use my email address as my primary login, though all of them have my email address, so I'd argue that's probably not a great case to make either in the name of using emails for 'professionalism'.
There IS a case that can be made for using email authentication. It's really not a great case, especially if you change email addresses, make a typo and then you're really locked out of your account. (Yes, you can be locked out of your account otherwise for the same reason, but realistically you have a better chance of getting it fixed if you have a username attached to it that you're normally using.)
I should point out that this debate has already been had, once on sm.org, once here before. The fact remains that people will continue to be insecure in spite of any measures you place making them more secure, and if someone can type in a username instead of an email address, they invariably will, because it's easier.
Case study: I used to work at a corporation that had a 30 day expiration policy on passwords. Each password had to be a minimum of 8 characters, use no dictionary words, must include upper and lower case plus at least 2 characters that were either digits or symbols. Oh, and not reusing any of the last 3 passwords.
This was for financially sensitive systems, whereupon you would regularly have people phoning up IT to change their passwords because they couldn't remember them. Unless they wrote them down on post-it notes on their monitor. This sounds like an urban legend but I saw it happen every single day.
The consequence is that the more you do to make it more secure, the harder it is for users to use: complex passwords that change regularly mean users try to find easier passwords to remember, bearing in mind the potentially short term therein.
The moral of the story is that users will use what is easiest, not what is theoretically best. That's why people still use 'password' as their password, because it's easiest for them to remember.
In fact, of all the services I have used and continue to currently use that have the 'professional' mentality attached, more of the services I use do not use my email address as my primary login, though all of them have my email address, so I'd argue that's probably not a great case to make either in the name of using emails for 'professionalism'.
There IS a case that can be made for using email authentication. It's really not a great case, especially if you change email addresses, make a typo and then you're really locked out of your account. (Yes, you can be locked out of your account otherwise for the same reason, but realistically you have a better chance of getting it fixed if you have a username attached to it that you're normally using.)
I should point out that this debate has already been had, once on sm.org, once here before. The fact remains that people will continue to be insecure in spite of any measures you place making them more secure, and if someone can type in a username instead of an email address, they invariably will, because it's easier.
Case study: I used to work at a corporation that had a 30 day expiration policy on passwords. Each password had to be a minimum of 8 characters, use no dictionary words, must include upper and lower case plus at least 2 characters that were either digits or symbols. Oh, and not reusing any of the last 3 passwords.
This was for financially sensitive systems, whereupon you would regularly have people phoning up IT to change their passwords because they couldn't remember them. Unless they wrote them down on post-it notes on their monitor. This sounds like an urban legend but I saw it happen every single day.
The consequence is that the more you do to make it more secure, the harder it is for users to use: complex passwords that change regularly mean users try to find easier passwords to remember, bearing in mind the potentially short term therein.
The moral of the story is that users will use what is easiest, not what is theoretically best. That's why people still use 'password' as their password, because it's easiest for them to remember.
6651
The Pub / Re: Wedge financial support
« on August 22nd, 2011, 01:12 AM »One should not expect to be singled out for special treatment simply because of offering a donation. That would more or less be considered payment for services, not a donation.
For example, MobyGames has a donation setup. If you donate, you get a little star by your name, to recognise the fact that you donated to the cause. There's no service attached, merely an indicator that you donated to the cause.
Similarly, I don't really have a problem with getting a badge indicating a donation was made. But when that donation involves access to a private help area, which includes installation and upgrades potentially being made for you, that's something else altogether.[1]
This is also why somewhere I discussed getting t-shirts sorted out, simply because that way you get something tangible and there's no ethical debate over it being donation vs. service. You're buying a tangible good, rational transaction of money for goods.
| 1. | I'm not sure whether I'd consider access to pre-release builds as being a reward for a donation or part of something better described as a service, because there's more going on than a simple exchange of money for builds, invariably bugs and so on are reported, which means they can be fixed. It's almost a form of contribution *back*, especially from people who are actually invested and thus more likely to give back. It's certainly an interesting topic for debate. |
6652
Features / Re: These two bytes may not matter to you...
« on August 22nd, 2011, 01:06 AM »
You did, yes, and I thought glancing at your latest commit you'd answered that question.Quote What does that actually mean for users?
Presumably, a user should be able to pick any skin from any currently available theme? (Assuming admins allow them to choose) If that's the case, does it need to remember which skin within a given theme that a user picked?
i.e. if you have two actual themes, and two skins in each (Themes 1 and 2, skins A & B, giving you 1A, 1B, 2A, 2B), when the user picks a skin from 1 (say 1B when 1A is default), then switches to 2 (either), should the fact they picked 1B be remembered if they come back to 1 later?
I'm inclined to think not, which without looking over finer points, seems to me to suggest we don't need it and only need to bother with what the user currently has selected, i.e. in their record in the members table.
Okay, Pete -- back to the topic... I was looking into the wedge_themes table (the per-theme per-user settings), and noticed that there is a 'skin' variable in theme id = 1. I'm a bit in a hurry and should leave and have been unable to find this for now -- could you look into the code (or anyone with svn access) and tell me where this variable is retrieved and used, exactly...? I'm considering either dropping it, or using it more...
Presumably, a user should be able to pick any skin from any currently available theme? (Assuming admins allow them to choose) If that's the case, does it need to remember which skin within a given theme that a user picked?
i.e. if you have two actual themes, and two skins in each (Themes 1 and 2, skins A & B, giving you 1A, 1B, 2A, 2B), when the user picks a skin from 1 (say 1B when 1A is default), then switches to 2 (either), should the fact they picked 1B be remembered if they come back to 1 later?
I'm inclined to think not, which without looking over finer points, seems to me to suggest we don't need it and only need to bother with what the user currently has selected, i.e. in their record in the members table.
6653
Features / Re: These two bytes may not matter to you...
« on August 21st, 2011, 11:36 PM »1. Well yes xenophobic/discriminatory.
From what I gather, Joomla enforces the GPL strictly, which means in their view even LGPL doesn't really fit since LGPL does not 'guarantee the same freedoms' of the software and its uses that the GPL does.
Theoretically, the GPL should be an ideal licence, because it is supposed to ensure that code is produced that everyone can use without restriction on that use. Except that the reality is slightly different: the restriction that is supposed to ensure the freedom of the code is in itself a restriction, meaning that people who have a different idea of freedom, like the BSD people, are in effect kept at arms length simply because they have a different definition of freedom.
2. He's the Julian Assange of the open source community, all ego, wrong in so many ways.
The debate I read recently was about him lambasting the OpenBSD people for not conforming to his views on 'free' software. I'm not fully conversant with OpenBSD, but I gather there is a ports area in the repository that links to external software where people can go to get things, and he takes the view that having such things in the base distribution (*links* to non-free software) is promoting their use, which it isn't. Then he completely ignores the fact that the same basic argument is levied against Emacs, which has code in it specifically to engender it running on non-free platforms. His argument is that if you don't encourage people to use free platforms, you're somehow wrong - which is sort of blown out of the water with Emacs. (Since if he were holding true to his line of argument, Emacs wouldn't be provided on Windows, when in fact it has a bunch of code in the core to make it run on Windows.)
(FSF || Richard Stallman) != Free Open Source Community
6654
Other software / Re: Fork discussion at SMF
« on August 21st, 2011, 11:27 PM »
I think it's fairer to say that they weren't "broken repeatedly with each RC" - each RC did have more bug fixes for the PGSQL stuff, and almost nothing for SQLite, but no-one really tested them that thoroughly, and as such the bugs that are coming to light are simply ones that fell through the cracks.
6655
Features / Re: Login with eMail instead of username
« on August 21st, 2011, 11:26 PM »Query, I thought it was a little known feature of smf that you could already login with your email address?
6656
Features / Re: New revs - Public comments
« on August 21st, 2011, 02:55 AM »Well it probably is on your side, maybe a conflict or something, because the mysql connection has never lagged for me on WampServer 2.1.
Meanwhile I appear to have permanently broken phpMyAdmin's ability to connect. This is awesome, especially because I have no fucking idea how it happened.
For reasons too long to get into, all my local stuff is run with a root user with a password. root@localhost, root@127.0.0.1 and root@% are all defined and valid users in the mysql table. SMF and Wedge connect just happily with any of the above settings.
But phpMyAdmin won't. At all.
If I give it root@localhost, no password, it fails - understandably. But if I tell it root@localhost, with the right password, it tells me it can't connect root@127.0.0.1 (using password: YES). Which, considering they have the same password, is interesting. (Yes: it's actively converting the domain name into an IP)
And root@127.0.0.1 doesn't work either, even though it has the same password as the other root accounts (just varying the hostname)
6657
Features / Re: Login with eMail instead of username
« on August 21st, 2011, 02:46 AM »
I have no problem with clashing ideas, but people don't seem to be understanding one detail. If you're going to argue with me, be fucking prepared to back your shit up.
The information I have been presented with, not only through my own investigations but those of external investigations, tells me that this is not actually something that important.
If someone comes and presents an idea, with hyperbole and insufficient weight to back it up (i.e. any actual evidence), I'm not exactly going to be impressed, especially when it seems fairly clear that what I've already said was ignored in favour of pressing the same idea...
Kids: do not try this at home. I'm already pissed off because I seem to have found a really random bug in phpMyAdmin that I've spent 3 fucking hours trying to make sense of, and arguing with me is a really BAD idea.
The information I have been presented with, not only through my own investigations but those of external investigations, tells me that this is not actually something that important.
If someone comes and presents an idea, with hyperbole and insufficient weight to back it up (i.e. any actual evidence), I'm not exactly going to be impressed, especially when it seems fairly clear that what I've already said was ignored in favour of pressing the same idea...
Kids: do not try this at home. I'm already pissed off because I seem to have found a really random bug in phpMyAdmin that I've spent 3 fucking hours trying to make sense of, and arguing with me is a really BAD idea.
6658
Features / Re: Login with eMail instead of username
« on August 21st, 2011, 01:41 AM »Not to forget that it looks more serious and professional by logging in with eMail.
I think this is a must have for Wedge.
Usernames can easily grabbed and hacked due bruteforce from posts.
Mailadress is hidden by default.
So for me this is one of the most important security standards we can give to our users.
Seriously, please take a note of the comments I have already made, specifically the ones where I indicated that the bots are already trying to brute force email addresses, and that not permitting very common, very weak passwords is actually a better method of protecting users than this.
Consider it this way: in any fence of security, the weakest link is where efforts will be concentrated. Usernames are not that weakest link.
Consider this also: you know Facebook, that little site with 750m+ users? That allows login with username. I know, because I happen to use that every damn day. Consider additionally that it's not just a random username then, it's also an *identity* of sorts, with all sorts of personal information far more important than would be found on most forums.
6659
Features / Re: New revs - Public comments
« on August 21st, 2011, 01:06 AM »
OK, so WampServer is set and running.
Interesting fact of the day, I have to run Wedge with persistent connections, otherwise it takes a second to connect before going any further. Since SMF does it, it really has to be a problem somewhere in the bowels of the configuration (especially as WampServer appears to be using the originally configured MySQL server, not the one it installed with :/)
But, interestingly, I may have found a random bug where it actually got unset for some reason and I have no idea why that is.
Interesting fact of the day, I have to run Wedge with persistent connections, otherwise it takes a second to connect before going any further. Since SMF does it, it really has to be a problem somewhere in the bowels of the configuration (especially as WampServer appears to be using the originally configured MySQL server, not the one it installed with :/)
But, interestingly, I may have found a random bug where it actually got unset for some reason and I have no idea why that is.
6660
Features / Re: New revs - Public comments
« on August 21st, 2011, 12:43 AM »I don't know what you're talking about...
Oh, that theme picker is a real bitch when it wants...
Where does the error come from? Maybe it's checking into $_GET instead? Can you have a look, Pete?
Posted: August 21st, 2011, 12:43 AM
Or I will perhaps in a bit longer since my WampServer configuration isn't working properly. Might be conflicting with my original Apache setup >_<