(11-19-2018, 10:23 PM)aaronlroberts Wrote: Sorry if the post came across rude, but it seems that Sentora has been dead in the water for a while. The problem is that if there are indeed only two people working on it, then efforts need to be made to recruit / locate additional people to offer assistance.
Security is important, and I run the apt-get update / apt-get upgrade commands weekly, there are no new updates which will affect the mentioned security issues.
I'm a little hesitant to upload my security report directly here, as it could possibly be used to exploit the problem mentioned as there URLS and Directories listed in the report.
My point is, Sentora is way behind, it's not even acceptable to request users to use the old versions of PHP and Sentora should be updated to include the latest version of PHP (or at least the ability to choose), an up-to-date OS with the latest security and background processes as well as upgradability as time goes on.
I really love this panel, I've used plenty more, including a new service called CyberPanel, but honestly, I just prefer Sentora's feel and the fact I know my way around the back end enough to make the necessary changes.
I agree that it seems to have become stagnant, but I think there are two main reasons for this. The first, the main "lead" developer stopped working on the project two or three years ago, which I think "dropped a few people in it" in terms of looking after the code and adding new features. I am not bashing them or their reasons for doing this at all. They were creating something that was freely available to anyone, so they have every right to stop working on it whenever they want to for whatever reason. I think there was initially a larger group of people supporting the project even after the lead developer decided to leave, but over the years since that the numbers have slowly dwindled to just two or three active people (that I can see) who maintain the project.
I think the second reason is largely the fault of Suhosin not receiving updates. There's nothing wrong with updating the packages yourself, and in my case, when I install a Sentora server, the installation script grabs the most recent versions of things like Apache and PHP5 at the time of install anyway. Also, I have fixed or patched most (maybe all?) glaring bugs/errors in the code for my own installs. But the jump from PHP5 to PHP7 is quite a major one, and moving from 5 to 7 would mean currently having nothing "plugged in" to PHP to protect your server from people running "abusive" functions etc. because Suhosin is not available in a production version that works with PHP 7. There's an early alpha version of Suhosin for PHP7, but it does not work properly and has itself been stagnant for a long time. Something to replace Suhosin might be around the corner, but we then come back to the first issue...
Implementing a major PHP update (and therefore, an update to the security package) currently relies on either the two or three people who are left to manage the project knowing enough to be able to implement it, and then also having enough time to try it, test it, write about it, and update the code to make use of it. Like a lot of people, these people probably have families and lives outside of Sentora... and Sentora is probably not high on their list of priorities. They were, after all, "dropped in it" and maybe Sentora isn't their "baby" like it once was to the lead developer.
So I guess that means the project will only stay alive if we can be nice to these two or three people and not be abusive towards them and the efforts that they do make, and it also means that we have to be proactive about moving Sentora forward ourselves, as users. That means learning about the code, running our own development snapshots to test things out on, and if we're willing to do so, telling anyone who is interested about what we find on this forum.
I have been working on implementing the best replacement for Suhosin that I can find, with PHP7.3 on Sentora. This is currently a Release Candidate version of PHP but I believe is due to be released in the next few weeks. The replacement is called Snuffleupagus, and it advertises itself as a modern Suhosin replacement. It has been a bit tricky to implement in a virtual hosting environment but I think I might have that cracked now, so hope to post about it soon. And when I say soon, this isn't a commitment to post about it within a week, or by the end of the month... I will do this just whenever I get the time and feel motivated to do it. And I imagine that's how most people on here work when they're working for free...
Keith
