Best Of
Official releases have ended
The last official prebuilt release from Vanilla HQ that was well-tested was 4.0 RC1 in Jan 2021. No active developer from Vanilla has communicated here since 2021, nor any other staff member since Feb 2023. I departed Vanilla in Feb 2020 and am no longer active here.
A handful of community members periodically distribute newer builds using the raw source code. Those releases are in the Community Developer category and pinned at the top of main discussion list. Others have moved to Flarum.
Please exercise caution downloading zip files from discussions on this site, as anyone has the ability to post them! Check their post histories first. Good luck!
Re: Vanilla 4.0 RC1 is now available
... and it should not be on Softaculous:
This is an RC (release candidate). It is not intended for use in production environments. It is pre-release software. Install it in some kind of sandbox
People who need a one click installer are not the best software testers, I'd say.
And on the other hand, a company who wants to simplify the install process of a software shouldn't care for software that is announced not to be for production use.
Vanilla 2023.008 Open Source Release
2023.008 successfully built. Tested on php 7.4 and seems working php 8.1 (lot of warnings in log like previous releases). Permissions bugs with custom profile fields is gone 🤩
1) Go "/utility/update" to update database. Like previous releases "/utility/update" return sometime 'Something wrong...' but update status is ok in config.php. So check update status and date in config.php
2) You have to add "version.json" in root folder
3) If database error during upgrade (MariaDB / Cpanel...) removing ALGORITHM = INPLACE LOCK = NONE in: applications\vanilla\settings\structure.php & library\database\class.databasestructure.php
Please read previous OSS Custom builds threads for fixing various problems.
It's perfectly working on a php 7.4 install.
Our HackerOne campaign & how it affects security at Vanilla
Hi all, I wanted to give you an update on the state of security practices at Vanilla, especially as it relates to HackerOne and our open source patch releases. I'll start with some background info, update you on the latest news, and then do a brief question & answer.
HackerOne background
HackerOne is a security bug bounty platform, which means it's a place for hackers to report discovered security issues in exchange for money, rather than using them maliciously. We launched our campaign there over a year ago and overall it's been very successful. Our rationale for doing so was that our open source users overlap very little with security researchers and therefore we receive little security scrutiny naturally. We decided it was in the best interest of both the company and the community to invest in more experienced folks investigating our software for problems.
In short, it's a very tangible way to prioritize security and invest in it, so we did so.
We've had an uptick in security releases since the program started, and moreso in the last few months. We expect to do more security releases before the end of the year. Basically: the program is working and our code base is being scrutinized more than it's ever been, so we're shipping patches as fast as we're able.
Some current metrics:
- We've awarded over $34,000 in bounties.
- In total, we've now evaluated 600 reports.
- Among them, we identified 139 legitimate reports from 73 different hackers.
- We average 1 day to ticket response, 6 days to triage, and 1 month to resolution.
"Resolution" for us means shipping an approved patch to both cloud and open source (all supported versions).
In the month of September we saw an abnormal surge in activity (more than 3x our normal level of legitimate reports) which caused some minor delays in delivering all patches.
Latest news
Yesterday, our company was blackmailed on Twitter regarding the open source release of a security patch. (Cloud customers were not affected by this threat; they were previously patched.) This was done by one of the HackerOne security researchers ("hackers") participating in our program (thus breaking the terms of service on HackerOne) who also made several accusations about our security practices. I will indirectly address some of those via question and answer below. We had awarded the hacker $3,000 in bounties, including $900 for the security patch in question prior to the blackmail.
The issue was submitted on Sept 18. 20 days ago, the hacker asked for an additional status update on the open ticket. We had previously explained the cause of delay (trying to bundle multiple security patches into 1 release to reduce the need for OSS updates) so we did not reply this time. 5 days ago, they asked again for an update and minutes later publicly messaged me a passive aggressive inquiry to my personal Twitter account (not the company's). We have escalation points listed in our campaign, we have a public company Twitter account, and my personal account is not tied to HackerOne in any way. I viewed this as an implicit threat and immediately blocked the user and ceased engaging over HackerOne. In retrospect, I should have passed on the HackerOne ticket to a colleague.
Yesterday, they included our company account on threats to 0-day our open source community (release details on an exploit for which no patch has been released) on Monday morning if the situation wasn't rectified to their liking. I am still unclear whether that happened. I later unblocked and engaged with them on Twitter to address some of the accusations made.
The direct consequence was a rushed late Sunday night release of Vanilla 2.6.4. In our haste, we accidentally included a config.php
in the initial release that caused problems for some users. This was fixed by 8:20am ET this morning (thank you to Softaculous, @pioc34, and Twitter user console for quickly pointing out my mistake). We apologize for the oversight. We have fixed our tools to prevent a repeat.
You may recall the 2.6.1 release was similarly rushed. This was a process error on our part, not malicious activity. We accidentally agreed to disclosure of a security vulnerability that had not been patched in the 2.6 release. We've altered our process to prevent a repeat of that incident.
There's a lot of communication overhead to dealing with a HackerOne campaign in a growing company. We're learning quickly and adapting, and we apologize for the missteps we make along the way.
Question & Answer
How does Vanilla organize security releases?
We have a 5-day SLA on patching Critical exploits (usually we patch in 1 day). We backport all 'Critical' and 'High' severity patches to the latest stable releases of Vanilla. We patch cloud before open source. For Critical issues, this is usually a delay of minutes. For High issues, it may be delayed to open source by days or weeks to roll together multiple patches if they will soon be available. (We optionally backport 'Medium' severity patches at our discretion and do not backport 'Low'.)
Why does Vanilla sometimes hold security patches before releasing to open source?
The terms of our HackerOne campaign forbid disclosure until the report is resolved. We may hold a patch to group with additional patches in a single release if we have other similar severity reports open. We do this to avoid "update fatigue", where users start skipping updates if they are issued too frequently. We do not hold 'Critical' severity reports; they are always released immediately.
Why doesn't Vanilla issue CVE identifiers for reports?
Neither our customers nor open source community have requested this. It would require more time and steps to our workflow to accommodate this. In general, the only folks who have requested this are hackers seeking recognition. We previously provided public recognition in our release notes on this forum. We now provide it via HackerOne report disclosure. We do not contest the disclosure of resolved issues on HackerOne.
Why doesn't Vanilla make more explicit commit messages when patching security issues?
Sometimes we make commit messages that are either vague or technically accurate but not entirely forthcoming. We do this in the interest of not raising attention to an issue before we can finish the open source release process. Because our core software is entirely open source, a careful observer could gain awareness of a vulnerability and figure out how to abuse it before anyone has the option to update. Basically, we're buying you as much time as we can by not detailing every exploit and drawing attention to them. We understand some hackers take issue with this. We are more interested in protecting our users.
Why doesn't Vanilla have an automatic updater?
This is a huge feature fraught with its own security implications. We would support an open source effort to add this functionality to Vanilla, but we're not able to dedicate the resources necessary to it at this time so it seems very unlikely at this time. It remains the responsibility of each forum administrator to monitor our accounts for updates and do them in a timely manner. We use all available channels to communicate new releases when they are available (social media, email, and in-Dashboard feed). Before anyone says "but WordPress did it," kindly recall they are 1000x our size.
Thanks for reading and let us know if you have questions or suggestions in the comments.
Vanilla 2023.001 Open Source Release - PHP 8 Works! (Built From Source)
Hi All,
Woke up to the notification of the new 2023.001 Open Source release this morning.
Built it from source and am happy to report that most of the issues encountered in previous builds now all appear to be fixed from what I can see so far.
PHP 8 now properly works without any of my previous workarounds - Tested on PHP 8.1.12 and the absolute latest PHP 8.2.1! All works as far as I can see! 😁
The Admin Dashboard CSS display error that's plagued pretty much every release since 2021.012 is also sorted out now.
The blank "User Profile" page from the previous 2022.025 release is now working.
Have attached the built release for you all to enjoy!
Vanilla 2022.024 Open Source Release - Built From Source + Broken Admin Dashboard FIXED!
Merry Christmas all! :)
Here is the latest available Vanilla release (2022.024) built from source code, with the broken / blank Dashboard issue from some of the most current releases also fixed up. ☺️
Note: While I messed about and managed to get 2021.009 working on PHP 8, I have not had success with that yet for 2022.024, so this build will require PHP 7.4 still - but hey I figure that this is still an improvement on the last 2021.009 release!
TIP: Head over to the "Labs" page in Settings (/settings/labs) and enable the new Layout Editor, then go to the Appearance tab to customize the site layout :D
Ready to move to Flarum? I might be able to help
A couple weeks ago I did the first full community migration from Vanilla to Flarum. I'm willing to do a few more for free to work out further issues with the forum migration software I'm building.
Criteria:
- non-commercial community
- less than 5 million posts
- no hate speech on site
- timeline is 1-3 months (estimate only, depends on my weekend availability)
Caveats:
I'm not currently able to provide troubleshooting assistance for setting up a new Flarum site. You will need to set it up ahead of time with the appropriate plugins (I will provide a list of standard extensions to use if you want things like badges or private messages to transfer).
You will be responsible for moving files (uploads and avatars) separately. I'll provide instructions for that as well.
You will also be responsible for any redirects you wish to set up. Happy to provide advice from what I know, but that's not something I'm willing to set up for you today.
Workflow:
- You do a SQL export, zip it, and send me a link via a file service like Dropbox.
- We'll discuss how to handle special edge cases in your forum and I'll iterate on it for a bit.
- I'll provide 1 test SQL export for you to evaluate and provide feedback on issues you find.
- I will fix issues I'm willing and able to, then we'll pick a day for the final migration.
- Expect a full day of downtime. When ready, put your site into maintenance mode and send the final SQL export the same way. I'll return the finish product the same way.
I will provide a UTF-8 export regardless of what you initially provide. It's important you FORCE the test & final import to use UTF-8 encoding rather than letting the database tool detect and set it itself.
Security:
I'm willing to sign a very, very narrow NDA about data privacy if you require it. However, also note I have far more data security experience than most folks running forums (I drove application-level security efforts at Vanilla Forums Inc for most of its existence), so rest assured your data will only exist on encrypted drives and/or behind 2-factor authentication on my side, and I have no interest in it beyond improving & testing the migration software. The only time it's exposed is while we're transmitting it to each other via Dropbox link. Do not upload a data export to this site.
Interested? Fill out this form: https://forms.gle/rdB1SmgGNPMU6rML6
Private messages on this site are fine, or email me ( linc at icrontic.com ) with questions. Also happy to answer questions about DIY migrations or otherwise talk shop about communities.
Re: Where do we go now ?
I've gone ahead and built a release from the available sources released 4 days ago(!) hidden in the GitHub branches: https://github.com/vanilla/vanilla/tree/release/2022.021
These releases have been tagged but have not included a built package for some time. I will be testing this for PHP8 compatibility tomorrow.
Re: Where do we go now ?
While it's long tempted me to continue Vanilla, there's a difficult challenge. If you do a "community edition", you have no input on the roadmap. You're just a silent steward tied to whatever the company decides. I agree there's no reasonable hope for collaboration with them at this point. If you do a fork, now you're signing up for a world of maintenance, and you'd have to rebuild the open source developer community to about 2x its highest point to make that sustainable. Having a bespoke framework underpinning the whole thing is a very large maintenance liability and it hasn't kept pace with development trends.
Flarum has a strong development community and has more than adequate feature parity, imo. It's more challenging to install & update for non-developers, but they're working on that with reasonable priority. My biggest quibble with it is the Javascript-heavy UI, but I have plans to address that and most other folks don't share my concern. My preferred path forward for building community software is do it downstream from Flarum, using it as a dependency to make my own system, rather than building something from scratch again.
I just spent a year of my free time building a migration tool from Vanilla to Flarum, so I feel pretty strongly about it. For more info on moving to Flarum if that's your choice, see here: https://open.vanillaforums.com/discussion/39195/ready-to-move-to-flarum-i-might-be-able-to-help#latest
I built that tool with the ability to do different output/target plugins for other platforms, so it's fully extensible. That said, making target plugins is more challenging than source plugins because of the peculiarities of each new platform.
It's sad to say as I was using it since 2012
I just hit the 13th anniversary of my first code contribution to Vanilla this month. A bittersweet reminder these days, indeed. I really thought it could become the ubiquitous community software of the web, but the writing's been on the wall a long, long time now.
Re: Vanilla version 2021.009 is the latest stable release as of now
I tried 2021.025 on my forum in production (i'm silly).
I updated my 2021.012 version and i had only a php warning.
version.json file is missing in root directory, so the assets in source code of each page look like
<script src="/discussions/js/library/jquery.js?v=unknown" static="1" defer="defer"></script>
and in the dashboard bottom right, i had version: unknown
Forum works fine but i want to correct this, so, I upload on my website a version.json file with this (found in the vanilla github repo, i changed only 2022.006 to 2021.025)
{ "x-version-scheme": "{Release version}-{? SNAPSHOT if it's a dev build}", "version": "2021.025" }
now everythings seems ok. I will check my logs to see if i have others errors.
I tried to pass to PHP8 but had a 500 error. I have to check what is failing.
Thank you @R_J and others for your work for this community