Page 1 of 1

Ideas for 2.2

Posted: Thu Feb 02, 2017 1:25 pm
by onli
With 2.1 at the horizon, I felt like writing down what I plan for 2.2. Got some initial feedback from the others, and am now interested in what you think. Do you have some wishes for the next s9y version? Maybe even areas where you want to work on yourself ?

These are my ideas:


1. Change password hash

We are currently using sha1 as hash function, in https://github.com/s9y/Serendipity/blob ... .php#L2219. SHA1 is the wrong choice for passwords, as it is a fast hash that. I'd replace it with scrypt or Argon2.

For context: That is not something that is really security-relevant for a normal blog system. It is more that if someone was to capture your database and you have user accounts for thousands of users, then that hash becomes important in protecting the stored passwords from being computable with the resources a hacker has a hand, like a gpu. Still, big multi-user systems is something s9y does theoretically support.

1.1: Add rate limiting to the login function (if we don't have that already)
1.2: Rewrite autologin-cookie (issue #441)


2. Fix MySQL UTF-8 bug

That will include changing the charset of existing installations. I'm most likely the wrong dev to do that btw, I'm using so far sqlite everywhere (issue #394). But this one is very pressing.


3. PHP 7.1 compatibility

We got 7.0, but 7.1 seems to have new incompatibilities (issue #441)


4. Cleanup plugins

We should remove broken plugins, or fix them, or at the very least mark them (that idea is coming from YL, I think)


5. Responsive Images

YL mentioned that a long time ago. S9Y already has functionality for resizing images, it should thus be able to generate the needed sizes (if the original is big enough) and set them according to https://responsiveimages.org/.


6. Social Network Home

I'd like to look into whether it is possible to mirror comments on FB/etc and have them as marked comment in the blog (nod to Mario, I think we talked about that).


7. Minor: A round of Trackback/Pingback compatibility testing.

After implementing the trackback meta header it would need to be tested anyway. S9y should work well with Wordpress, and we should disallow settings that break compatibility easily, such as the IP check.


8. Database security

We had some ugly sql injections this round, thankfully not with ciritical variables, if I saw that right. The main fault is that someone made a fault when creating the responsible code, but the other fault is that we create them as raw strings in the first place. We should use prepared statements instead of escaping manually and bind the variables to them, which escapes the variables automatically, which will remove almost all the possibilities of such issues occurring. We can wrap an API around that, such that a statement looks like:

Code: Select all

$result = serendipity_db_query("SELECT * from namespace_config WHERE key = :name AND user = :user", {"name" => "editor", "user" => "otto"});
Of course, other APIs are possible.

That would mean a lot of change in the core and plugins, that is why we didn't do it so far.


9. Caching

2.1 brings the database cache, but for the next version I'd like to activate it by default, and add the functionality of using redis as cache system. My goal here is to counteract the image Wordpress has, that it fails as soon as something like Reddit or Hacker News links to it, if the admin did not do a lot of tuning. At least as much as possible with the servers we have.

---

Do you have other changes in your mind?
We also could bring back the "upcoming s9y Features" subforum, if there is a some interest.

Re: Ideas for 2.2

Posted: Sat Feb 04, 2017 2:41 am
by Imajica
as a new serendipity user (rapidly heading towards evangelist) I have a couple things I'd like to see

a way to update the footer from the theme admin panel, like some of the older templates did (I can find an example given some time)

adding social icons/links to the footer (like timeline)

adding recaptcha or a different captcha

personally I'd like to see the upcoming s9y Features subforum... I'm always wanting to see what's next

I'm not a coder, but I am a tester... and I am always willing to donate some server space for that purpose

John

Re: Ideas for 2.2

Posted: Sat Feb 04, 2017 1:39 pm
by yellowled
Imajica wrote:a way to update the footer from the theme admin panel, like some of the older templates did
That is not really a core feature, nor should it (in my opinion) necessarily be one. It should be a theme functionality (some themes may not even have a footer).
Imajica wrote:adding social icons/links to the footer (like timeline)
Same here. That is a theme-specific functionality, and it should remain that way.
Imajica wrote:adding recaptcha or a different captcha
What about the serendipity_event_recaptcha plugin, does that not work for you? (Again, this should by all means remain a plugin functionality, not core.)

YL

Re: Ideas for 2.2

Posted: Sat Feb 04, 2017 4:24 pm
by Imajica
yellowled wrote:That is not really a core feature, nor should it (in my opinion) necessarily be one. It should be a theme functionality (some themes may not even have a footer).
please remember I'm new and just throwing ideas out there...
I disagree on some level.. having certain settings as universal, despite the theme, would be a nice addition IMHO
The functionality of the footer should be determined by the theme, but the base data contained within can be controlled at the core.
yellowled wrote:Same here. That is a theme-specific functionality, and it should remain that way.
Again just my opinion, if this information was stored in the core as one changes or modifies themes you wouldn't have to reenter that data... My Facebook page is universal across all themes
yellowled wrote:What about the serendipity_event_recaptcha plugin, does that not work for you? (Again, this should by all means remain a plugin functionality, not core.)
serendipity_event_recaptcha plugin didn't work at first, the documentation was incorrect and I went to http://www.recaptcha.net (which is a dead url) I just revisited it and remembered that recaptcha is a google product. So the documentation just needs to be updated

I'll just withdraw that particular suggestion. :)

John

Re: Ideas for 2.2

Posted: Sat Feb 04, 2017 11:32 pm
by onli
I disagree on some level.. having certain settings as universal, despite the theme, would be a nice addition IMHO
I don't disagree, btw. We already have this for the header. But for the footer it would be harder to define what should be the standardized text inside it, or even just its structure. But that might still come :)

Re: Ideas for 2.2

Posted: Sun Feb 05, 2017 12:23 am
by thh
Imajica wrote:serendipity_event_recaptcha plugin didn't work at first, the documentation was incorrect and I went to http://www.recaptcha.net (which is a dead url) I just revisited it and remembered that recaptcha is a google product. So the documentation just needs to be updated
You're right.

I've opened a pull request with those changes (#50).

Re: Ideas for 2.2

Posted: Sun Feb 05, 2017 1:56 pm
by yellowled
Imajica wrote:I disagree on some level.. having certain settings as universal, despite the theme, would be a nice addition IMHO […] Again just my opinion, if this information was stored in the core as one changes or modifies themes you wouldn't have to reenter that data... My Facebook page is universal across all themes
All that may sound very comfortable, but the ultimate point to determine whether something should be a core functionality or a plugin is if it is useful to a majority of users. I have my doubts about this with both editing the footer and adding social links.

Please note that I'm not at all voting against implementing these features, I'm merely saying it might be better to implement them as plugins, meaning optional features to be added on if the user chooses.

YL

Re: Ideas for 2.2

Posted: Sun Feb 05, 2017 6:46 pm
by Imajica
yellowled wrote:Please note that I'm not at all voting against implementing these features, I'm merely saying it might be better to implement them as plugins, meaning optional features to be added on if the user chooses.
YL
I'll concede that point... but I'd still rather put it out there then say nothing at all :)

John

Re: Ideas for 2.2

Posted: Wed Feb 08, 2017 9:54 pm
by Don Chambers
John - I think that it is great that you are offering your input. New thoughts and perspectives are always welcome.

You might be thinking of Bulletproof, which I think had a footer theme option. We went crazy with theme options in Bulletproof as we explored nearly everything we thought was possible at the time.

Timeline does have a few options in the footer which include copyright text, footer links, and social icons. I took a different approach with Timeline for social icons by coding in the choices I felt most popular.... the admin then selects the desired social media links from those available. You can modify the code in the file config.inc.php to add additional social media options.

Re: Ideas for 2.2

Posted: Sun Apr 09, 2017 1:03 am
by Imajica
Has anyone thought about multisite?

Re: Ideas for 2.2

Posted: Sun Apr 09, 2017 10:57 am
by Lux
Imajica wrote:Has anyone thought about multisite?
We already have this. It is called "shared installation".

Cheers

Dirk

Re: Ideas for 2.2

Posted: Mon Apr 10, 2017 5:39 am
by Imajica
Lux wrote:We already have this. It is called "shared installation".

Cheers

Dirk
I did see that but it's marked as experimental and at least from the documentation appears to be targeted at subdomains.

I was thinking more along the lines of:
www.mysite.com - using timeline theme
www.adifferentsite.com - using next theme
www.athirdsite - using skeleton theme

single admin interface and a single database

this is often a feature of commercial CMS systems, but is sometimes an option in opensource systems.
It was a feature in nucleus (my previous platform)

John

Re: Ideas for 2.2

Posted: Mon Apr 10, 2017 6:07 am
by Lux
Imajica wrote:I did see that but it's marked as experimental and at least from the documentation appears to be targeted at subdomains.
In my opinion it is called experimental because of very few people using it.
Imajica wrote:single admin interface and a single database
I never tested it, but I think you will get several admin interfaces. You can put different blogs in one database if you change the prefix "serendipity_" for each blog to something different.

Cheers

Dirk