Security Updates

[Andy]

This really makes me mad about using scripts.

As soon as I install a 3rd party script it is soon followed by a warning that I need to install it all over again to avoid a security flaw.

Why is this? What is stopping script writers from writing code that is immune from exploitation from cyber terrorists?

Is it because they don't follow coding standards or are not experienced enough at writing secure software?

As regards SMF I stopped upgrading the script after the UTF8 broke. I know they claim to have fixed it but they haven't since all my UTF8 posts are scrambled by smf updates. I spent a whole day fixing the problems that the upgrade code caused and reverted back to code that works. To avoid spam, I ended up coding my own php code to halt it.

Funnily, I recently got a Windows security update that I refused since it was to check my Windows was a genuine install. So obviously I refused that "security update". Say this software had a bug, it could disable my operating system!

A great bad example is Wordpress, I installed the very latest script just a day ago and today there is a security update. The last version they released was almost immediately followed by an emergency update.

[SensoVision]

Why is this? What is stopping script writers from writing code that is immune from exploitation from cyber terrorists?

Is it because they don't follow coding standards or are not experienced enough at writing secure software?

maybe both... Or it could be caused by laziness and interest in writing code faster. Also even if you follow coding standards and try no live security holes there is always chance that you miss something especially if you work alone on the project, so guess that developers couldn't be blamed for this, don't forget that they give you this software for free and they not obliged to write working software for such price.

As regards SMF I stopped upgrading the script after the UTF8 broke. I know they claim to have fixed it but they haven't since all my UTF8 posts are scrambled by smf updates. I spent a whole day fixing the problems that the upgrade code caused and reverted back to code that works. To avoid spam, I ended up coding my own php code to halt it.

I didn't track UTF8 status but thought that it was fixed ages ago...

Funnily, I recently got a Windows security update that I refused since it was to check my Windows was a genuine install. So obviously I refused that "security update". Say this software had a bug, it could disable my operating system!

yeah it would be in Windows style to prevent you from working on PC in least appropriate moment I didn't heard of such update probably because girlfriends notebook is behind firewall and NAT and it's internal IP isn't visible from Internet anyway so her PC prune to most exploits and we not install security updates for many years. The problem which couldn't be resolved like this are viruses which sometimes present on disks from university and friends.

A great bad example is Wordpress, I installed the very latest script just a day ago and today there is a security update. The last version they released was almost immediately followed by an emergency update.

I never install software when it's appearing especially if it comes to online scripts like SMF(but in case of SMF I don't install update of course if it's not critical security one, mostly because it stop all 3rd part add-ons working including modifications I've did myself), same rule apply to times I was on Windows but when I merged to Linux I've start using beta software once it become available as most of it work as reliable as stable branch.

[Andy]

maybe both... Or it could be caused by laziness and interest in writing code faster. Also even if you follow coding standards and try no live security holes there is always chance that you miss something especially if you work alone on the project, so guess that developers couldn't be blamed for this, don't forget that they give you this software for free and they not obliged to write working software for such price.

There is no reason to change software that already works and insist that everybody upgrades. I blame developers since you should not insist that people install a new version of your code every time you feel like it. By changing code, these people waste time of webmasters and cause them problems that can result in financial loss and possible legal problems from users. Remember that all code developers do it for a reason such as academic recognition. Nobody in their right mind spends 100's of hours to provide free code to anyone on earth.

I didn't track UTF8 status but thought that it was fixed ages ago...

That's a typical statement from somebody without experience of something that they actually did. If you haven't actually tested something in a live situation you are only spreading a rumour.

[SensoVision]

Remember that all code developers do it for a reason such as academic recognition. Nobody in their right mind spends 100's of hours to provide free code to anyone on earth.

check my answer in this thread: http://forum.weblamp.net/index.php/topic,7127.msg34483.html#msg34483

That's a typical statement from somebody without experience of something that they actually did. If you haven't actually tested something in a live situation you are only spreading a rumour.

FYI I was translator of SMF to Russian but resigned. I've also used SMF in local network where we have Rus/Ukr speaking folks but it was ages ago. so it's not just rumoring and that I never looked at this question.