Big forum still using 1.1.19 without problems

[Maxtor]

is it safe to run 1.1.19 stll in 2024?
the following example still running it: https://bitcointalk.org/index.php

[Aleksi "Lex" Kilpinen]

1.1.19 basically should not work in 2024.
But I believe they have been patching it for their own use, keeping it alive.

[Arantor]

They've modified big chunks of it and they've said to my face that they wouldn't move to SMF 2 because they think it has some fundamental design flaws (which 1.1 incidentally has, and that they're raising the spectre they think they found proves a limited understanding of software design, which is a different problem)

Reality: SMF 1.x will not run securely on PHP 5.6+ and will not function on PHP 7+ as provided by this site. If you were to make the many, many necessary changes, you could make it run but i can think of 3 or 4 security holes that would be present that have long since been patched in 2.0 but never were in 1.1 because it had fallen out of support.

Note that PHP 5.6 and PHP 7.x are long since tagged unsupported by the PHP team. Some server manufacturers ship patched versions but if you are at the level of understanding whether your server has such patches, you probably would be able to otherwise patch SMF 1.1 to keep it running.

[Aleksi "Lex" Kilpinen]

Bitcointalk has also been "working on" migrating to something else for the past decade or so.

[Arantor]

They approached me and Nao in 2013, offering us 2200BTC to build them a new software. (In 2013 that was worth maybe $11k USD. We said no. There was no way that was going to end well for anyone.)

[Maxtor]

but i can think of 3 or 4 security holes that would be present that have long since been patched in 2.0 but never were in 1.1 because it had fallen out of support.

my first question is it possible to run on php 7.4+ ?
also is there any unofficial patch for fixing those holes?

They approached me and Nao in 2013, offering us 2200BTC to build them a new software. (In 2013 that was worth maybe $11k USD. We said no. There was no way that was going to end well for anyone.)

now worth ~125mil usd $$$ !

[Arantor]

my first question is it possible to run on php 7.4+ ?

Not without *significant* changes. You will need to fix every single database query, by hand, and fix multiple uses of preg_replace /e which will be a security hole.

There is no unofficial patch for fixing them in 1.1 - we fixed them all in 2.0 more than a decade ago.

[Steve]

It is highly recommended that you upgrade to 2.1.4 ...

[Arantor]

BCT ain't never going to upgrade.

I can see the appeal of 1.1 in some ways though - there are themes for 1.1 that never got updated for 2.x. I have a decent collection of very old themes kicking around that no one has updated, though many of them are both products of their time (circa 2006) and in dire need of rethinking to make responsive in the modern era.

[Steve]

Shame that. The security updates alone would make me want to update.

[Arantor]

BCT seems confident enough in their setup. After all, they completely replaced how passwords were hashed, I think they went to something similar to what SMF 2.1 did but without using any of the code from SMF's GitHub to do it. They assured me they knew better.

[Steve]

They assured me they knew better.

Of course they did!