Pages:
Author

Topic: Looking for someone to create/modify software for this forum [5500+ BTC] - page 22. (Read 165632 times)

administrator
Activity: 5222
Merit: 13032
Do you have a time frame, theymos? Considering placing a bid, just want to be thorough.

I won't accept a bid earlier than 2 weeks from now. I want to get someone working on code before the end of the month.
sr. member
Activity: 322
Merit: 251
I'd be willing to do this software for 650BTC however I will have to find someone to do the design for me.

I gotta add that this kind of software sounds highly specific to just rewrite current software you'd have to do from scratch other wise you are risking your self to exploits that your un-aware of. If I were to accept this offer you can expect it to take 3 months until a fully tested, bug free, exploit scanned with more then one software suite, and tested on multiple browsers.

Ones that are designed to be extensible and completely customized out of the box would be well suited for this task. I'm thinking PunBB, as it was designed to be extensible (and the contributors and project leaders have executed this design well) and is licensed under GNU GPL.

Do you have a time frame, theymos? Considering placing a bid, just want to be thorough.
administrator
Activity: 5222
Merit: 13032
I Have Several  vBulletin Licences I Would Be Willy To Bid For 450 BTC it Has Admin, Shotbox, Premium, Themes, Message of The Day, New Announcements And Several Member Positions Inc Admin, News Team, Moderator, Premium, Private Premiuim And More Would Be Happy To Set It Up For A Additional 50BTC Would Take About 5days-1week To Fully Set Up

vBulletin alone doesn't meet most of the requirements.
member
Activity: 87
Merit: 10
I Have Several  vBulletin Licences I Would Be Willy To Bid For 450 BTC it Has Admin, Shotbox, Premium, Themes, Message of The Day, New Announcements And Several Member Positions Inc Admin, News Team, Moderator, Premium, Private Premiuim And More Would Be Happy To Set It Up For A Additional 50BTC Would Take About 5days-1week To Fully Set Up
hero member
Activity: 854
Merit: 1000
I am representing Someguy123 (on the forums), Ruben (E-Mail PM'ed), and I.

We will bid 390 BTC, and we will go lower if necessary.  I will PM you all of the details within a few hours.  


-DanielDaniel

EDIT:
PM sent with all details, and contact information for the rest of the team.
administrator
Activity: 5222
Merit: 13032
If you have that many BTC at hand you should set up a TEAM , and go for a custom built solution.

I don't want to manage a team. If you want to create a team and handle payment distribution, etc., you can do that and bid on behalf of your team.
legendary
Activity: 1764
Merit: 1015
Current status:
- Request seemed to have a reasonable idea (which he conveyed to me in private), though I think he underestimated the work that would be required of him. He never got back to me when I asked for more details, though.
- Xenland I am not sure about yet. (My fault for not following up enough.)
- FlipPro's idea of sticking with SMF appeals to me because I've grown to like many aspects of SMF. However, I still don't have a ton of confidence in the code architecture. (The DB handling is an improvement.) TweetForum seems mostly unmodified, so I'm not sure of FlipPro's experience.

The forum now has 920 BTC on hand. More bids would be welcome.
If you have that many BTC at hand you should set up a TEAM , and go for a custom built solution.

P.S Xenland's offer is one hell of a deal, and if he want's I am more than happy to help him out with any design work that he needs Smiley
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
PM with a basic but detailed proposal sent!
I stand at 650 BTC since I don't require any more(or less) then that.
administrator
Activity: 5222
Merit: 13032
Current status:
- Request seemed to have a reasonable idea (which he conveyed to me in private), though I think he underestimated the work that would be required of him. He never got back to me when I asked for more details, though.
- Xenland I am not sure about yet. (My fault for not following up enough.)
- FlipPro's idea of sticking with SMF appeals to me because I've grown to like many aspects of SMF. However, I still don't have a ton of confidence in the code architecture. (The DB handling is an improvement.) TweetForum seems mostly unmodified, so I'm not sure of FlipPro's experience.

The forum now has 920 BTC on hand. More bids would be welcome.
legendary
Activity: 1764
Merit: 1015
I'm not sure I want to use SMF again. 1.1.x has a generally insecure architecture. For example, the 0-day bug that affected the forum happened because all POST input is escaped early in the code, then partially unescaped before processing, and escaped again (or not...) before inserting into the database. It is very easy for a programmer to introduce a security problem in this mess.

It's better to avoid the necessity of manually escaping wherever possible by using prepared statements and other library functions that handle it themselves.

Does 2.0 improve this situation much?
Hello Theymos,

Basically SMF 2.0 does not use prepared statements, but instead uses a new "abstraction layer" for interaction with the database in order to support more database engines (at the moment MySQL, PostgreSQL and SQLite).If used properly it takes care of escaping (using mysql_real_escape_string), quoting or casting the values passed to the queries.

For example a query that retrieves data from the database in SMF 2.0 would be:

Code:
$smcFunc['db_query']('''
SELECT id_member
FROM {db_prefix}members
WHERE real_name = {string:user_name}
LIMIT {int:query_limit}'
array(
'user_name' => $userName,
'query_limit' => $limit,
)
);

In this example the function $smcFunc['db_query'] takes care of quoting and escaping the string ($userName) and casting to integer the int ($limit).

For example, a query used in SMF, Load.php line 2082 in SMF 1.1:
Code:
$result = db_query("
UPDATE {$db_prefix}sessions
SET data = '" . addslashes($data) . "', last_update = " . time() . "
WHERE session_id = '" . addslashes($session_id) . "'
LIMIT 1", __FILE__, __LINE__);

In SMF 2.0 is (Load.php line 2445):
Code:
$result = $smcFunc['db_query']('', '
UPDATE {db_prefix}sessions
SET data = {string:data}, last_update = {int:last_update}
WHERE session_id = {string:session_id}',
array(
'last_update' => time(),
'data' => $data,
'session_id' => $session_id,
)
);

SMF 2.0 Gold should be good . However paid software is always going to be the most secure, but IMHO since this is an open-source project, going with a powerful opensource solution like SMF makes a good statement. Plus SMF 2.0 will be much easier to mod than anything else, the key is always to work with the software and not against it. We are missing out, just go to TF and see 2.0 in action.
administrator
Activity: 5222
Merit: 13032
I'm not sure I want to use SMF again. 1.1.x has a generally insecure architecture. For example, the 0-day bug that affected the forum happened because all POST input is escaped early in the code, then partially unescaped before processing, and escaped again (or not...) before inserting into the database. It is very easy for a programmer to introduce a security problem in this mess.

It's better to avoid the necessity of manually escaping wherever possible by using prepared statements and other library functions that handle it themselves.

Does 2.0 improve this situation much?
legendary
Activity: 1764
Merit: 1015
Theymos all these features can be accomplished with SMF 2.0 GOLD and some modifications...

Obviously building something from scratch will better "secure" the forum, but I don't think that's what you were looking for initially.

I can do almost all the features you mentioned above, and we can have a full community audit once the forum is released.

I have extensive experience modding forums, here is my site http://tweetforum.com

I can do this entire project for 250 BTC... And it should take me no longer than a week.

P.S I will also make the forum new custom design as well so don't sleep on this offer!
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
I'd be willing to do this software for 650BTC however I will have to find someone to do the design for me.

I gotta add that this kind of software sounds highly specific to just rewrite current software you'd have to do from scratch other wise you are risking your self to exploits that your un-aware of. If I were to accept this offer you can expect it to take 3 months until a fully tested, bug free, exploit scanned with more then one software suite, and tested on multiple browsers.
newbie
Activity: 34
Merit: 0
Hello,

Our company has experienced and motivated team to build forum software as you specified including optional features. Also we may have our own ideas which implementations you can rule. We have virtual working environment for project management. We keep all our promises and will deliver high quality in schedule. Data migration service and support also after implementation will be included.

For extra: If needed, my company can also offer hosting for forum or for other server software including SLA without any cost. One of our team members has worked as professional system administrator in ESET (http://www.eset.com/). He will confirm all the security aspects of the service.

We will deliver the service for 700 BTC but we can always discuss about the final price if possible for our team. We are registered company and we will offer very fair service contract. As a owner of this company I can offer the service for very low contribution margin as kind of donation (I don't need any promotion, there's no "tiny print", I just want to support the Bitcoin community the way I can).

Our customers are organizations from the private and public sector. You can ask portfolio from me via PM.

Thank you for this opportunity,

Request
administrator
Activity: 5222
Merit: 13032
The forum's software has proven to be insufficient for our needs. In particular, the general architecture of the code is both insecure and difficult to modify, and the moderation facilities are limited. Therefore, the forum is accepting bids for the job of delivering software that meets the requirements listed below.

I don't care whether you build the software from scratch or just create a bunch of modifications for some already-existing software. There are benefits and drawbacks to both methods which will be considered in relation to the rest of your bid.

Bids should include at least this info:
- A description of the general architecture you plan
- A list of any of the optional features I mentioned that your software will have
- Additional features your software will have that I didn't mention
- Samples of your past code
- A price. If you want links or other "perks", include these as part of the price.

The forum has about 650 760 920 1120 1720 2267 3000 5500 BTC on hand at this moment, but you can bid more than that. If your bid is the best, I'll just wait until the forum has collected the required amount of money.

I will consider offers that only have ~95% of the "required features" listed below, as long as you're delivering a usable product. For example, you don't need to use my preferred programming languages. It's also OK for you to deliver an incomplete (but working and stable) product quickly and then add onto the software after it's being used.

You can't bid on just one aspect such as design or programming. You need to deliver a complete product.

This thread is only for bids, questions from bidders about the specifications, and questions that I have for bidders. Other discussion about this process should go in a separate topic.

Requirements:

Overview of problems with SMF

SMF is very good when viewed from the outside. I like the GUI's look, it has many useful features, and it's fast. However, the code is absolutely terrible. It was clearly written by people who don't have a good understanding of security or coding style. Examples:

- Many of the high-level functions like RemoveTopic can only be used in one place because of the assumptions they make, but the lower-level functions (removeTopics for RemoveTopic) omit important stuff like security checks. When doing anything complex with SMF, I often find myself copy/pasting high-level functions except for a few modified lines.
- Even the low-level functions sometimes misbehave when used outside of their intended area by, for example, printing errors. There's often no way of handling errors yourself without hacks.
- The coding style mostly sucks. The conditional operator is used too much. There's confusing stuff like if(!empty($enabled)).
- A lot of data is cached, but it's difficult to know when cached data is available and where this data is located when it is available. The user's profile data might be in $context['user'], $user_info, elsewhere, or it might not be available yet.
- SMF does crazy stuff like scanning binary attachments for "suspicious strings" (like ) in the name of "security".
- Many limits and security restrictions can be bypassed easily by exploiting quirks in the code. There are many easy denial-of-service attacks.
- Logic is tied very closely to presentation.
- Pretty much every SMF modification is buggy in some way or other because modification authors are usually amateurs and because SMF's code is so difficult to deal with.
- Database inconsistency can happen accidentally.

Ideally, what I'd like to get from this project is software very similar to SMF on the outside (similar features, fast, etc.), but with code that is clear and secure, plus a few extra features that SMF doesn't have (mostly moderation-related) listed below.

SMF features

All of the popular SMF features should be supported by your software. For example:
- Ignore user
- Ignore board
- Email notifications
- Print pages
- Profile pages
- BBCode
- Polls
- Multi-level subsections
- PMs
- Context search, simple search, and advanced search
- "Unread posts since last visit" and "new replies to your post"
- Forum and user stats
- Avatars
- Various user settings
- Good Unicode support
- JavaScript quick edit

The extensive admin interface is not required, however.

Code

I prefer that the software be written in PHP, C++, or Java, as I have the most experience with these three languages. The code must be clean and easy to modify. I want to be able to make even complex changes in behavior without much trouble.

License

The software can be under any license as long as I have complete access to the code forever, I can modify the code, and I will not be required to publish private modifications I make to the code (no AGPL). It can be based on paid software if the cost of the license is reflected in your price.

It would be fine for you to sell your software after you make it for this forum.

Database

PostgreSQL is greatly preferred. Queries should be well-optimized. I'm not a fan of database abstraction layers.

Database queries should wherever possible be done using prepared statements, something like pg_query_params, or some other method that doesn't require the programmer to manually escape things inline.

Security

Security is very important. Your code should have a "generally secure architecture": it should be very difficult for a programmer to mistakenly introduce security flaws.

Use the hashing scheme described here. Passwords need to be automatically upgraded when CRYPT_PARAMS is changed. Legacy SHA-1 passwords ( sha1(password concatenated with lowercase username) ) also need to be upgraded.

No user group should be able to run arbitrary code. SMF and other forum software allow admins to run arbitrary PHP code via modifications or themes. This isn't OK; if you use such forum software as a base for your software, you'll need to disable this feature and replace it with some other method of updating modifications/themes/etc.

All actions must be done by POSTing the server. GET requests must not have side-effects.

UI

The default theme should be minimalistic like the current theme. Nothing that looks "web 2.0": no speech bubbles, no significant space between posts, no significant hover effects, and few rounded corners.

The default theme must work well with all functionality and a reasonable page layout on text browsers without JavaScript. It should also work perfectly on browsers with unusually small browser dimensions. It should be at least somewhat usable (though maybe not pretty) on ancient and broken browsers like IE6.

Same color scheme as we have now: light with some blue.

There should be functionality for allowing users to choose from among several UIs. You only need to provide the default one, though.

Admin settings that are not changed very often can be made changeable from files instead of from a web interface, though changing the settings from the files should be easy. The web interface must not allow admins to add/edit UIs, execute arbitrary code/SQL, or tamper with logging.

User classes

So that you know the sort of membergroup system that is needed, here are the currently-planned membergroups. All of these must be possible with your software. People can belong to more than one membergroup. These will certainly be tweaked a lot in the future, so don't hard-code the membergroup features/permissions.

- Admins, with all powers. Only group capable of seeing IP addresses. It must be possible for admins to make certain groups, certain posts, and certain topics immune to certain types of moderation.
- Global mods, capable of doing everything with posts and posters.
- Local mods, capable of doing everything with posts and posters in their sections. Posters banned by a local mod are only banned in the sections that the local mod has jurisdiction over.
- Jr. mods, who can only moderate posters that are not established.
- Established posters: all posters who have met some easily-configurable criteria. To start with, the criteria will be 8 weighted hours online (see below for info on weighted stats).
- Categorizers: Can move all topics
- Whitelisted: immune from proxy bans, and maybe other restrictions later
- VIP donator: capable of accessing the donator section, able to change his name, and able to assign himself a custom title
- Donator+: capable of accessing the donator section and able to change his name
- Donator: capable of accessing the donator section
- Scammer: Unable to delete or modify his own profile or messages. Has his posts and PMs marked specially.

There should also be "poster ranking" groups based on weighted stats.

These user groups will be hidden and not listed in a user's profile or next to his posts:
- Local mods (when outside of their sections)
- Jr. Mods
- Established posters
- Categorizers
- Whitelisted
- Donator

In addition to the pips ("stars") that most forums have, small image and text "badges" associated with some membergroups should be possible.

Certain groups (including some poster ranks) imply "whitelisted".

Weighted stats

There needs to be "weighted time online" and "weighted post count" in addition to the raw values. It should not be possible for a user to increase one of the weighted values by too much without increasing the other value. If you post 200 posts in 1 hour, your weighted post count should be 1. If you post 1 post in 200 hours, your weighted time online should 6 hours. These numbers should be configurable and should apply retroactively when changed (where possible).

Time online should not increase if you're simply refreshing a page, and it should increase more slowly if you seem to be a bot.

Limits

All actions that write to the database should have at least one associated configurable limit. Like "can post x topics per y seconds". There should also be a limit that prevents users from posting too soon after being stopped by another limit. It should also be easily possible for admins to ban certain regex expressions in posts, titles, and usernames (separate ban lists) from the web interface.

The limits may be modified based on membergroup. The actual limits may be relaxed, and the result of exceeding the limit may also change. Exceeding limits can do nothing, reject the action ("you may not post this topic because you just posted one 5 minutes ago!"), or automatically ban the user.

Registration

When a guest tries to post a reply, he will be asked for the necessary account creation info (username and password) on the same page where he can enter his reply.

Email addresses will not be required on registration. However, the board will not send email to the user until an email address is provided and verified.

A user's very first post must not be a new topic.

OpenID

It should be possible to use OpenID authentication instead of a password. The main login method should not be OpenID, though. Maybe entering an OpenID URL into the username or password field will trigger OpenID authentication.

OpenID URLs should not be used as real usernames.

Mod profile view

Mods will see this stuff on the front page of every user's profile:
- A log of everything the user has done in the last few weeks. Entries like "Reported post x", "Posted reply x", "Posted topic x", "Got post x deleted by mod y", "Got banned by mod y", etc.
- The user's recent deleted posts.
- Their last few topics and posts (in different lists)
- Links that will immediately carry out mod actions after a JavaScript prompt: ban, IP ban, whitelist, elevate

Mod actions

Post actions:
- Delete topics/replies
- Split topics
- Merge topics (admin only)
- Clone reply/topic (admin only -- maybe other groups later)
- Create redirect topic
- Move topic
- Edit post
- Lock topic
- Sticky topic
- Announce topic -- put it at the top of every topic index page (admin only)

Automatic poster actions:
- Ban -- automatically permaban poster
- IP ban -- permaban poster and ban for an admin-configurable number of days all IPs the poster has used. Stats should be available to admins about how many times certain IPs and IP ranges are banned in this way.
- Whitelist/unwhitelist -- put the poster in the whitelisted group
- Elevate/unelevate -- Put the poster at the top of the report queue and make all mods do an extra confirm step for any action against this poster. Intended for things that need admin review. This feature is optional.
- Comment -- private mod comments about posters. This feature is optional.
- Nuke -- Deletes all posts.
- Remove reports on the poster

Admins should also be able to create user/IP bans that expire after different amounts of time.

No bans will prevent people from reading posts.

There needs to be something like SMF's "quick moderation" interface on topic pages and user post histories.

All of a poster's deleted posts should be available to them for at least a month.

It should be very easy for admins to undo any damage caused by mods. In particular, it should be very easy to undelete topics/posts and restore them to their original states.

Optional: make it possible to perfectly undo every action of a particular mod since a specified point in time.

Reports

People can send reports by clicking "report" links next to posts and optionally filling in a report reason. This increases the report score on the post and the poster by the reporter's "reliability score". The reliability score starts at 1. For each correct report, it increases by 0.1. For each incorrect report, it decreases by 0.02. The reliability score maxes at 5, and it can't go below 0.

Mods who view the report queue will only see users they can deal with. It should be arranged like this:
Poster 1 -- score: 5 -- details/handled/incorrect links
  post a -- score: 3 -- details/handled/incorrect links
  post b -- score: 2 -- details/handled/incorrect links
Poster 2 -- score: 1 -- details/handled/incorrect links
  post c -- score: 1 -- details/handled/incorrect links
  
The links work like this:
- Details: Lists the actual reports along with the reasons and sender of the reports
- Handled: Removes the reports and increases the reliability scores of all those who sent the reports
- Incorrect: Removes the reports and decreases the reliability scores of all those who sent the reports

Removed reports remain available to admins from a link on the sender and recipient profile pages forever.

Stock PMs

Whenever a mod action is taken against a user, they should receive a stock PM informing them of this. It should be easy for me to customize the text for each PM.

Ban appeals

People who have their user account banned (but not their IP) can use a special ban appeal feature. Each user can appeal once, and then they need to wait for the response.

The appeal queue will be available to admins. It will show the appeal and a link to the user's profile page. It'll have these action links: unban, reply, soft-deny (allow another ban appeal in 14 days), hard-deny (never allow future appeals for this user).

After any action is taken, the appeal is removed from the queue.

The banned user can reply once to each reply that an admin sends.

Proxy banning

There will exist a large list of proxies that are banned from posting except for whitelisted posters. The list should support IPs/hostnames with wildcards and ranges. Checking users against this list should be efficient. I will write code for automatically adding Tor exit nodes to this list, so it should be especially easy to add to this list.

When someone is prevented from posting something due to a proxy ban, the thing they tried to post should be added to a list visible to mods. Mods can then look through the list and whitelist people who tried to post something good.

Proxy-banned people should also be able to manually request whitelisting. The whitelist request queue should be visible to global mods, jr. mods, and admins.

Watchlist

The watchlist feature should be available.

No embedded images

Due to problems with "cookie stuffing" and other attacks, let's just disallow embedded images all together. Transform old embedded images into links. Avatars will still be allowed, but they will always be hosted by the server.

Keep allowing img tags (transforming them into links), as they might be used later.

Other required features

- Tags, as described here. "Tag mashups" are required. A separate report feature for tags and "ignore topic" are optional.
- Whenever you click "preview" when composing a post or PM, a draft of your post should be saved. These drafts should be available for 7 days.
- Good SEO
- Combined mod action log
- Ability of admins to send PM/Email newsletters to different membergroups.
- A page listing all posts by non-established posters
- Post edit revisions visible to all users who can edit the post
- A way to view all of a user's topics
- The bidder needs to provide code or detailed instructions on how to move current database data to the new database.
- The software needs to be at least as fast and resource-light as SMF.
- I like how the SMF post composition page allows you to highlight text and then click a button to apply certain BBCode. This needs to be replicated.
- Post counts should not be shown on topic pages, but should be shown on profile pages.

Other optional features

- A trust system exactly like that of Freenet's FMS would be excellent. Bids including this will be greatly preferred.
- Optional CAPTCHA-protected email addresses listed on profiles
- Nofollow on links in posts and profiles of non-established users while they are non-established
- In addition to normal BBCode, allow Wiki-syntax for bold/italic: ''=italic, '''=bold
- In "Replies to your posts", highlight posts where you're quoted and include posts where you're quoted even if you haven't posted in those topics.
- The ability to completely ignore a thread.
- A "thanks" feature on posts. All people who have thanked a post (up to a limit) are listed in small text near the post. Readers can hide this list in their options.
- An option that expands [img] tags into embedded images. This must not be the default.
- In addition to the default way of viewing topics, allow people to view topics: by purely chronological ordering, unaffected by bumps; by number of recent replies; and by some "hotness" criteria affected by views and replies.
- Allow people to maintain a list of users who are "friends". Highlight topics/posts by friends, topics posted in by friends, and topics/posts thanked by friends.
- An API
Pages:
Jump to: