Recently a MOD validator found a security issue with one of my phpBB MODs. I am very appreciative that this issue was found during the approval process and not after the MOD had been released. But in the aftermath I found myself wondering, who is responsible for MOD security notices?

phpBB has (in my opinion) been unjustly been given the reputation of being an insecure application. The most compelling example of this was the “santy worm” from about two years ago. The truth of the story is that the phpBB Group had provided an update to their package that eliminated the exploited code many weeks before the worm started. If board owners had updated, they would have been immune.

In this “damned if you do and damned if you don’t” world people on all sides of the issue complained. People that got hacked complained because they got hacked. They got hacked because the didn’t update. They didn’t update because, well, I really have no idea why they didn’t update. I performed my updates within hours of the release of the patch. It was luck, really, as I just happened to be visiting phpbb.com when the announcement was made.

And the people on the other side? Well, they complained because of the frequent udpates.

Not too long ago phpBB put in a “call home” feature into their script. When an administrator logs into the admin control panel (ACP) the script checks to see when the last “call home” was made. If enough time has elapsed, a call is made and the current version retrieved from the phpbb.com server. That version is compared to the existing version of the board, and if the admin is out of date, he or she is notified.

Board owners can also subscribe to a mailing list that lets them know when updates are available.

But this is all talk about the standard (core) phpBB code… what about MODs?

Now there are also MODs from various authors that also do the same thing. Their “call home” might check their own website and see if there is a newer version available. I will be honest, as soon as the “call home” feature came out in the core code, I removed it. I have a number of flimsy excuses as to why. But the bottom line is that I just don’t want to do it. A frequent commenter on this block (damnian) posted a blog post of his own about this feature. That blog post also links to a post on another board where there was a discussion about putting a similar feature into MOD code, not just the core phpBB code.

I participated in that topic; here was my main comment:

The following is strictly my opinion, so take it for all that’s worth.

I don’t like the idea.

I turn off the version check in phpBB boards that I manage for the same reason. One, it’s a privacy issue. Two, what if your server is down, or delayed?

I can appreciate the concept, that you would like to see where the code is being installed. You might get enough interest if you simply put a note in your code (make it show up in the admin page, like extreme styles does) that says, “Register your board ” or something. That way folks get a link (most folks like links) and you get a way to showcase folks using your code.

But only if they want to.

I still have the same opinion, and would likely answer in a very similar fashion if asked the question again today. But I do have more respect for why poyntesm asked the original question. I have no way of knowing who is using my code, and therefore absolutely no way of notifying users of a security update.

That worries me, but I don’t know how to fix it in a way that I personally would be willing to use as a user, and that would be willing to manage as a MOD provider. I am forced to conclude that ultimately the responsibility relies with both. I think a MOD author should offer a “call home” feature but with full disclosure, and an option to turn it off. That way the author has made the attempt to provide a notifcation channel but users ultimately have the responsibility to use it. Or the option to turn it off.

I don’t have anything like this set up yet. But at some point I guess I might, under the parameters outlined above.