Upgrade to XenForo 2.x because the current version is unmaintained

Status

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
Hi,

MC-Market should update to XenForo 2.1. The current version of XenForo that MC-Market is using is no longer maintained and will not receive any further security updates.

Source: https://xenforo.com/community/threads/xenforo-1-5-is-no-longer-supported.165946/

Running unsupported software at this scale is definitely something that should be avoided asap. In addition to this XF 2.1 contains countless features that the community has been requesting over the past few years.

While I understand that there will be a cost to upgrading, I think it's something that should be put on the top of the priority list. Staying outdated for much longer has no point and it'll have to happen eventually.

Some new features:
- Out of the box functional REST API
- Automated updates for XF itself
- Native browser push notifications (also works on mobile and is actually pretty great)
- Native support for Android/iOS emojis across whole forum
- Various improvements to forum notices (which MCM uses quite heavily)
- Added markdown (more customizable threads)
- MUCH more flexibility and customisation possible with XF Styles and better support for mobile
- Things like widgets are out of the box included to XF2 now instead of having to use addons which cause hacky ways of other addons injecting in each other.
- The way you edit posts and create new threads has improved so much. It's much more instant and more user friendly (imo)
- much much much more.
 
Status
Implemented
Last edited:
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Aekalix

Terraforming Connoisseur
Premium
Feedback score
46
Posts
1,725
Reactions
1,264
Resources
0
The XenForo software we’re using is well known to be stable, and has been tested on such an incredible number of servers for such an incredible amount of time before reaching this point. It is far more likely that we would encounter a security flaw in XenForo v2, which is a complete recode of the platform, hasn’t undergone the same test of time that XenForo 1 has, and is actively receiving new updates.
As is often quoted, debugging is the process of taking bugs out, programming is the process of putting them in. It’s very much expected that many of XenForo 2’s updates to come contain bugs, and maybe one or two of them is a major security issue for MCM.

I feel much safer on our current, better tested version of software, where we control all of the new code being introduced and where core functionality is rarely touched.

Security is not the main issue. In my opinion, that is just being thrown in with the rest of the less provoking reasons for upgrading in order to try and stir up a sense of urgency.

That said, upgrading is still necessary, and ASAP is certainly the best plan. The longer we put it off for, the more money we toss out getting features custom developed for this version of XenForo, and the more we have to re-spend later to get those features re-developed for version 2. It’ll also be more painstaking to transfer because there will be more data needing handling and conversion where necessary.

I would just prefer if the idea stop being spread, that our users are being put at risk by us being on XenForo v1, or are being put at risk any more than they would be if we were on the recoded version.
This is anecdotal evidence. Got nothing much to comment on, but it's based on nothing. Both statements.
 

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
Security is not the main issue. In my opinion, that is just being thrown in with the rest of the less provoking reasons for upgrading in order to try and stir up a sense of urgency.

I would just prefer if the idea stop being spread, that our users are being put at risk by us being on XenForo v1, or are being put at risk any more than they would be if we were on the recoded version.

I feel like if you were an IT manager somewhere you'd never push to have the latest and greatest just because.

I've personally only ran the forum for about 6-7 months so I can only speak for that period. I've had 1 serious security issue with one of our addons. This was discovered by morganjp. We ended up reporting the issue and the addon developer pushed a fix within 4 hours. This speed of this push was caused by the addon developer being active and understanding the severity of the issue.

Security flaws are definitely a thing. They're everywhere, no matter how stable and old you think your software is. Look at the security flaws that Google, windows 10, etc have had. You're much more likely to get a quick update when you're running the most recent software (of anything, not just XF) as developers are likely to back off when it comes to updating something obsolete with a low usecase.

Using the argument that "XF1 has been running safe and sound for the past x years so it's more stable" is stupid. XF1's code is literally trash, hence why a rewrite was necessary. It's only a matter of time before an exploit is found, maybe not specifically with Xenforo but perhaps underlying software such as PHP. Upgrading would be no option because the more recent PHP versions will likely have depreciations of certain features that XF1 utilizes. At that point, you're literally stuck.
 

alice

Supreme
Feedback score
24
Posts
310
Reactions
178
Resources
0
I feel like if you were an IT manager somewhere you'd never push to have the latest and greatest just because.

I've personally only ran the forum for about 6-7 months so I can only speak for that period. I've had 1 serious security issue with one of our addons. This was discovered by morganjp. We ended up reporting the issue and the addon developer pushed a fix within 4 hours. This speed of this push was caused by the addon developer being active and understanding the severity of the issue.

Security flaws are definitely a thing. They're everywhere, no matter how stable and old you think your software is. Look at the security flaws that Google, windows 10, etc have had. You're much more likely to get a quick update when you're running the most recent software (of anything, not just XF) as developers are likely to back off when it comes to updating something obsolete with a low usecase.

Using the argument that "XF1 has been running safe and sound for the past x years so it's more stable" is stupid. XF1's code is literally trash, hence why a rewrite was necessary. It's only a matter of time before an exploit is found, maybe not specifically with Xenforo but perhaps underlying software such as PHP. Upgrading would be no option because the more recent PHP versions will likely have depreciations of certain features that XF1 utilizes. At that point, you're literally stuck.
Agreed, you should always update to the newest version of any software (as long as it's not completely bleeding edge) if you care about security. It's obsolete software that gets exploited the most, particularly software that no longer receives any security updates.

I'm not a XenForo developer or PHP developer, but as another user said on this thread, the McMarket theme is pretty basic with barely any customization. I'd imagine that any competent developer would be able to port the entire forums in a week (maybe a couple of weeks), unless there's something I'm missing.

I recommended some basic postbit changes months ago (renaming "Messages" to "Posts", making reputation green, etc.) and although it got 20 upvotes/agrees, nothing has happened, even though it would only take 2 minutes to change. And I know it's only a 2 minute change because I tried XenForo a couple of years ago, and it took me less than 5 minutes to make that change even though I was completely unfamiliar with the framework.

P.S. McMarket isn't known to care about security. That's why they let threads like this exist https://www.mc-market.org/threads/520710/ even though I've made it clear 20 times or so that there's database leaks on half of those e-mails, which means any of those accounts could easily be hijacked and used to scam with (even a staff member said somewhere many scams only happen due to hijacked accounts). And there's no login verification either for logging in with a different IP address, which every normal website has. I'd imagine a simple login verification implementation would be a top priority if a lot of people scam with stolen accounts.
 
Last edited:

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
I feel like if you were an IT manager somewhere you'd never push to have the latest and greatest just because.

I've personally only ran the forum for about 6-7 months so I can only speak for that period. I've had 1 serious security issue with one of our addons. This was discovered by morganjp. We ended up reporting the issue and the addon developer pushed a fix within 4 hours. This speed of this push was caused by the addon developer being active and understanding the severity of the issue.

Security flaws are definitely a thing. They're everywhere, no matter how stable and old you think your software is. Look at the security flaws that Google, windows 10, etc have had. You're much more likely to get a quick update when you're running the most recent software (of anything, not just XF) as developers are likely to back off when it comes to updating something obsolete with a low usecase.

Using the argument that "XF1 has been running safe and sound for the past x years so it's more stable" is stupid. XF1's code is literally trash, hence why a rewrite was necessary. It's only a matter of time before an exploit is found, maybe not specifically with Xenforo but perhaps underlying software such as PHP. Upgrading would be no option because the more recent PHP versions will likely have depreciations of certain features that XF1 utilizes. At that point, you're literally stuck.
I’m not sure how you got that first statement out of those two quotes. I clearly stated that upgrading is both necessary and should be done ASAP. In what way does this mean that I would "never push to have the latest and greatest"? Please.

All I have suggested was that upgrading comes with its own risks not applicable to XF1, and the sense of danger being associated with us being on XF1 is unwarranted. (It would be pretty ironic to be attacked using an XF2 exclusive exploit soon after updating, wouldn’t it)
There is a warranted sense of danger in using EOL software for an extended duration, however we have absolutely no intention of using EOL software for any significant or unnecessary period of time, and XF1 doesn’t even reach EOL until the end of May. I simply don’t want our users feeling like they are actively in danger every day over the next few months, because writing all of the documentation, updating all of our custom addons, customizing the new XF2 addons, and porting over all the data from our old addons to the new ones will likely require every bit of that time.

You don’t need to try and convince me that we need to update. It’s already happening, nobody is arguing against its necessity.
All that I am asking is for an absence of fearmongering during the process.
 

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
There is a warranted sense of danger in using EOL software for an extended duration, however we have absolutely no intention of using EOL software for any significant or unnecessary period of time, and XF1 doesn’t even reach EOL until the end of May
That was end of May 2019. Shows how much you know about this topic.
Once the active support period has passed, we will only release new XenForo 1.5 versions if security flaws are identified. We will continue to do so until December 31, 2019, after which there will be no further XenForo 1.5 updates of any kind.
 

Sloth

Feed Me
Supreme
Feedback score
6
Posts
4,369
Reactions
2,660
Resources
0
Mc-Market should update to the latest software available to them in order to ensure stability and greater opportunities for the community. Remaining on XF1 and waiting until something goes wrong to justify an update is ridiculous. Why wait for something bad to happen when you can prevent issues now?
 

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
That was end of May 2019. Shows how much you know about this topic.
Fair enough, I’ll redact that point. It remains the case however, that updating everything is going to require time, and unless we want to take down MC-Market until the update is ready, it is going to be necessary to stay on XF1 until everything is done.
We both want to update ASAP. If there’s something specific that you want me to do differently, let me know.
https://gyazo.com/001304aca56448defc4d25c326f1e54c
Since I didn’t provide an example last time I mentioned XF2’s unique dangers, here’s a report you made about an SQL injection exploit only possible on the XF2 version of our reputation system addon, because it had to undergo a complete recode, as every addon has. Because we were on XF1, we were immune.

Mc-Market should update to the latest software available to them in order to ensure stability and greater opportunities for the community. Remaining on XF1 and waiting until something goes wrong to justify an update is ridiculous. Why wait for something bad to happen when you can prevent issues now?
We’re already in the process of writing documentation for updating. Nobody has suggested waiting until an exploit becomes known before updating. It’s happening.
 

Sloth

Feed Me
Supreme
Feedback score
6
Posts
4,369
Reactions
2,660
Resources
0
Fair enough, I’ll redact that point. It remains the case however, that updating everything is going to require time, and unless we want to take down MC-Market until the update is ready, it is going to be necessary to stay on XF1 until everything is done.
We both want to update ASAP. If there’s something specific that you want me to do differently, let me know.
https://gyazo.com/001304aca56448defc4d25c326f1e54c
Since I didn’t provide an example last time I mentioned XF2’s unique dangers, here’s a report you made about an SQL injection exploit only possible on the XF2 version of our reputation system addon, because it had to undergo a complete recode, as every addon has.


We’re already in the process of writing documentation for updating. Nobody has suggested waiting until an exploit becomes known before updating. It’s happening.
Actually one of the other staff members earlier in the thread had mentioned this. This was before BeBosny had been speaking with Mick. I should've just quoted them to avoid this so that's my bad.
 

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
We’re already in the process of writing documentation for updating. Nobody has suggested waiting until an exploit becomes known before updating. It’s happening.
You don’t need to try and convince me that we need to update. It’s already happening, nobody is arguing against its necessity.
All that I am asking is for an absence of fearmongering during the process.
It remains the case however, that updating everything is going to require time, and unless we want to take down MC-Market until the update is ready, it is going to be necessary to stay on XF1 until everything is done.
Until I started this thread, there wasn't much word about XF2 in here. The only things I heard from MCM staff is that it's too expensive and that XF1 is more stable. Even when I started talking to Mick, he wasn't sure if upgrading was necessary or that it's going to be a hard "sell" if it goes above a certain budget. I'm not saying to close down this forum or anything. I just started this thread to raise some awareness towards staff and the community because Mick stated several times publicly on this forum that an upgrade will not happen in a few years. And this was AFTER XenForo announced that XF1.5 is going EOL.

I'm sure if it wasn't for this thread, or any other similar one, the urgency of this wouldn't be as high as it is now.
You're miswording it. Mick wasn't 100% sure if he should upgrade. He only wrote documentation to get quotes from developers/see if it's worth it. And this was recently from my understanding.

Another thing to add on to this, I find it concerning with the tone and confidence you're speaking with. Literally 2 days ago Mick was hesitant about upgrading and now you're selling it as if you've been working on it for months. If you guys had any sort of decent management and planning, you would've taken XF's EOL announcement and actually already started preparing some of the addons to be ported so you can actually run XF2 BEFORE XF1 goes EOL.

The reason why my tone is a bit hostile in this thread because things like this trigger me. The fact you don't understand that running unsupported software is just a huge security risk. The fact that companies and addon developers simply back off when it comes to providing security updates and other kind of updates to software that's simply below industry standard.

https://gyazo.com/001304aca56448defc4d25c326f1e54c
Since I didn’t provide an example last time I mentioned XF2’s unique dangers, here’s a report you made about an SQL injection exploit only possible on the XF2 version of our reputation system addon, because it had to undergo a complete recode, as every addon has.
This isn't a danger with XF2. This is a danger with general software development and developers. Things like this happen frequently. You're implying that this wouldn't be possible with XF1.5. The funny thing is, this same developer released a security update for XF1.5 just in August 2019 so XF1.5 might not be as secure as you're claiming it to be ;) In fact, he's released a few of them over the course of the past few years for XF1.5.

Which makes statements like these completely bullshitt:
Security is not the main issue. In my opinion, that is just being thrown in with the rest of the less provoking reasons for upgrading in order to try and stir up a sense of urgency.
I would just prefer if the idea stop being spread, that our users are being put at risk by us being on XenForo v1, or are being put at risk any more than they would be if we were on the recoded version.
All I have suggested was that upgrading comes with its own risks not applicable to XF1, and the sense of danger being associated with us being on XF1 is unwarranted. (It would be pretty ironic to be attacked using an XF2 exclusive exploit soon after updating, wouldn’t it)

I would honestly suggest you stop responding to threads if you don't have anything useful or smart to say. Most of your responses have no clear point and contain stupid arguments (with sometimes incorrect information). That is concerning considering you're one of the highest ranked members on this forum.
 
Last edited:

Justis

Community Member
Management
Feedback score
61
Posts
2,117
Reactions
2,414
Resources
0
Until I started this thread, there wasn't much word about XF2 in here. The only things I heard from MCM staff is that it's too expensive and that XF1 is more stable. Even when I started talking to Mick, he wasn't sure if upgrading was necessary or that it's going to be a hard "sell" if it goes above a certain budget. I'm not saying to close down this forum or anything. I just started this thread to raise some awareness towards staff and the community because Mick stated several times publicly on this forum that an upgrade will not happen in a few years. And this was AFTER XenForo announced that XF1.5 is going EOL.

I'm sure if it wasn't for this thread, or any other similar one, the urgency of this wouldn't be as high as it is now.
You're miswording it. Mick wasn't 100% sure if he should upgrade. He only wrote documentation to get quotes from developers/see if it's worth it. And this was recently from my understanding.

Another thing to add on to this, I find it concerning with the tone and confidence you're speaking with. Literally 2 days ago Mick was hesitant about upgrading and now you're selling it as if you've been working on it for months. If you guys had any sort of decent management and planning, you would've taken XF's EOL announcement and actually already started preparing some of the addons to be ported so you can actually run XF2 BEFORE XF1 goes EOL.

The reason why my tone is a bit hostile in this thread because things like this trigger me. The fact you don't understand that running unsupported software is just a huge security risk. The fact that companies and addon developers simply back off when it comes to providing security updates and other kind of updates to software that's simply below industry standard.


This isn't a danger with XF2. This is a danger with general software development and developers. Things like this happen frequently. You're implying that this wouldn't be possible with XF1.5. The funny thing is, this same developer released a security update for XF1.5 just in August 2019 so XF1.5 might not be as secure as you're claiming it to be ;) In fact, he's released a few of them over the course of the past few years for XF1.5.

Which makes statements like these completely bullshitt:




I would honestly suggest you stop responding to threads if you don't have anything useful or smart to say. Most of your responses have no clear point and contain stupid arguments (with sometimes incorrect information). That is concerning considering you're one of the highest ranked members on this forum.
My response to this thread was to address the incorrect assumption that we’re "waiting until a breach is made before updating", which has never even been entertained as a valid option by management. Moreover, it was to ease the unnecessary fear being spread regarding XF1 while we can’t do anything about getting updated faster anyway. As you’ve already pointed out, security risks are present in all software, be it software that’s being actively developed, or the final stage of a piece of software at the end of a long history of development and use. Your responses to me however, which accused me of not wanting "the latest and greatest" and then further arguing that we should update when I’ve already expressed in each one of my posts that I share that opinion and that updating is in the works, is what I find to be unnecessary and unhelpful. If you have a genuine suggestion on the topic of updating, then I’m happy to hear it. However, so far you only seem to be intending to get a dig in at me?
Unless a genuine suggestion is made, I’ll allow you to continue without hearing a defense from myself from now on. So feel free.
 

Marisa

that one nivia owner
Premium
Feedback score
16
Posts
170
Reactions
366
Resources
0
The immense amount of laziness from the staff I see in this thread upsets me.

I don’t want to hear “oh no it’ll be fine staying on this xf” because it won’t be. Once an vulnerability comes out for this XenForo, that’s it. It’s over. It’s not getting fixed, and it’s not worth bandaging.
 

oflords

LordRealm Games CEO
Premium
Feedback score
3
Posts
16
Reactions
45
Resources
0
The amount of fear-mongering here is crazy. Zenforo 1.5 has had 3 revisions since September 2018 while being announced dead in May 2019. Since then no security updates were pushed.

Unless some crazy exploit is being sat on there is no real danger or real reason to drop everything and upgrade to it IMO. 2.0 has only been around for a couple of years but 1.5 has been widely used for ages.

Just to clarify, Justis is not saying upgrading is bad and neither am I. Upgrading is a good idea for software in any case but getting there is not as easy as pushing a hotfix and enjoying it. A transitional period would be needed, more issues then before and lots of resources needing to be put into it.

Raising awareness to swap is a good idea but don't be hostile or create mass hysteria over the fact that without upgrading MCM is unsafe and sucks. Enjoy the site as you probably have for ages and let the managing team get done what they need to at a pace that they are comfortable with.
 

Mick

BuiltByBit Owner
Management
Feedback score
28
Posts
6,413
Reactions
7,704
Resources
0
We are planning to release our migration to XF2 at some point in the future. It is a huge task requiring tonnes of development and time to document/prepare/plan everything. It'll be the biggest update MCM has ever seen and we're pretty excited for it.

I'll move this to pending until we do. Thanks.
 

Mick

BuiltByBit Owner
Management
Feedback score
28
Posts
6,413
Reactions
7,704
Resources
0
We are planning to release our migration to XF2 at some point in the future. It is a huge task requiring tonnes of development and time to document/prepare/plan everything. It'll be the biggest update MCM has ever seen and we're pretty excited for it.

I'll move this to pending until we do. Thanks.
Well that was an understatement!

We're on XenForo 2 now, so I'll mark this as implemented. Thanks for the suggestion.
 
Status
Top