📖 Introduction

Welcome to our newest community update. As some time has passed since the last community update, we want to update you on different things that happened or are happening in the future. In Edition 7 of our community updates 2023, we featured an overview of what's happening next with Flarum. Feel free to skip back to this post in case you are interested. But now, let us move on to our newest update.

---

🧪 Want to test out some upcoming features?

(they will be part of Flarum 2.0)
Our team is already working hard on Version 2.0 which will focus on key improvements. You can read more about the development journey in the Staff Diary: v.2.0 Cycle. Some upcoming features are in active development and can already be tested in a BETA capacity for the current Version 1 of Flarum.

📦️ Package Manager

The package Manager project - driven by @SychO - allows you, after the initial installation, to install, remove and update extensions of your Flarum installation without the need to access composer in the command line. You can already see this working now in a BETA capacity. You can test how it improves your day-to-day experience in administrating Flarum. If you want to try this upcoming extension yourself, you can do so using the following command:
composer require flarum/package-manager:"*@beta"
We'd love to hear your experiences with the package manager - you can share your feedback in this discussion.

👁️ GDPR Data Management

As announced, making Flarum more compatible with regulations, a GDPR data management extension will be integrated into the core with 2.0. You can already test this extension with Version 1.0 of Flarum - also in a BETA capacity. This extension, developed by @luceos and @IanM, allows for export and deletion of data. As it's in BETA it only partially covers all areas as of right now - and the extension will need to be adopted to be compatible. If you want to try it now, you can do so:
composer require blomstra/gdpr:"*@beta"
We would love to hear your feedback on your test runs of this new extension - you can share your feedback in this discussion.

🕸️ Friends of Flarum - Anti-Spam

@IanM has picked up theBounty on FoF Spamblock to improve handling of Spam in Flarum. He combined two extensions (fof/spamblock and fof/stopforumspam) into one new anti-spam extension. This extension will help your moderation flow to be more effective.
You can test the new extension now: composer require fof/anti-spam:"*@beta"
Feedback is - as always - appreciated and can be provided within this discussion.

🌐 New Flarum website

You can also check out our upcoming website, which will merge core services like Extiverse into one umbrella. The new website - developed with much effort by @luceos - in DEMO capacity is available at https://next.flarum.org. If you want to leave us feedback, you can do so here in this discussion.

👓️ Discussion about upcoming changes (search)

Searching in Flarum has been subject to many discussions and is one of the big topics on our roadmap for 2.0. As an open-source project, we value our community's feedback, and we have started a public discussion on upcoming changes. You can follow and contribute to this discussion, led by our newest team member @Darkle, here: https://discuss.flarum.org/d/33443-flarum-20-uiux-improvements-for-enhanced-search-experience

🏴‍☠️ Bounties,🔌 Extensions & 🇬🇧 Translations

Our community is very active in generating newProposals to improve Flarum. Also, there are many updates to existingExtensions, and new ones are created. We encourage you to check openBounty occasionally and see if there is a feature you are also looking for that might need just a little support to get realised.
If you are missing out on some translations in your desiredLanguages you can always head over to the Flarum Translation on Weblate and contribute some translations yourself! https://weblate.rob006.net/languages/. To learn more about translation Flarum, visit: https://discuss.flarum.org/d/27519-the-flarum-language-project

🏁 Final words

We hope you have liked this edition of “Community Updates”. Looking forward to your comments and ideas for future updates. We will pick up speed again and hope to see you soon on the next edition of Community Updates. Don't want to miss the next update? Follow theBlog tag, and you'll get a notification.

Yes, here it goes. The staff diary for the v2.0 cycle. You can read up on what's in store in this post: https://discuss.flarum.org/d/32812

Dear Flarumites,
It is with a sad and heavy heart that we announce today that Flarum.org was the subject of a cyber attack which resulted in the breach of one of our servers. Inline with our ethos of total transparency, we wanted to give you all the full details of what we know and what actions have been taken.

I’m concerned! What do I need to do?!

We understand that security breaches are a concerning thing. We absolutely appreciate that our users expect, and deserve, better. We promise that we will endeavour to secure our systems and that’s why we’re bringing together our own internal resources with continuous security reviews from external parties as part of our vision for Flarum 2.0 and beyond.
If you are concerned about the impact of this breach, and what it means for you then we recommend:

1. Reset your password on any other providers that you may have re-used it on. (We also strongly advise not to re-use passwords.)
2. Where possible, enable Multifactor Authentication, or MFA.

And for those that want our detailed analysis, please see below:

What actually happened?

On the 3rd October, 2023 @luceos noted a number of files on our server which are not part of our deployment for Flarum, and immediately notified the ops team (Namely, myself and @katos) through our relevant Discord channel to launch an investigation.
Over the next few days we immediately took action to limit the impact of any breach and to pull files for auditing and forensic analysis. IT was identified that a total of 12 files were uploaded into the /public/ directory of flarum.org
At the same time, we also identified an old backup of Discuss’ database had not been cleared down from the server, this backup dated back to December 2021.
The decision was taken to copy files off of the server for analysis, and to run a git-clean and redeploy in order to obliterate any malicious files from our servers (as we use a CI/CD pipeline, this action was quick and easy).
Out of a further abundance of caution, we also took the decision to fully remove ALL SSH keys from the server and to re-generate a key for Luceos who would (for now) be the sole manager of the server whilst investigations were ongoing.
On Friday 06/10/2023 (three days later), we were able to confirm that:

1. Of the files uploaded, we are confident that unfortunately a webshell was uploaded which allowed the attackers to upload further scripts and expand their arsenal against the server.
2. We identified an email spam script (leveraging PHP’s “LeafMailer” library) which was used to send spam mail from our server.
3. We identified a php shell script allowing file management on the server. We have NO REASON to believe that files served from the server were edited, as all files retained their original content, however we are unable to verify if data was exfiltrated from the server.
4. We also identified a number of HTML files which contained malicious URL redirects designed to steal credentials - We cannot see evidence of these being used, and suspect that they may have been part of a wider email campaign for phishing / credential hijacking.
5. Whilst we do not wish to spread malicious code, we can also confirm that we identified three sources of malicious code that was used in this attack. All three instances of this came from old shell scripts found online in Github gists.
6. Of the malicious files, all except two triggered detections through Virus Total or Yara.

With the evidence in our logs, and with the files that we have identified (and their subsequent analysis), whilst we cannot confirm this; we are confident that with the PHP mail script and the html files with phishing sites, the intention of the compromise was to use our systems to establish a ground for spamming phishing links to other users. We do not believe that Flarum or it’s users were the endgame of the attack.
This leads us nicely to what we did….

What we did to rectify the issue

As already detailed above, we immediately set up a task force of individuals at Flarum who were responsible for owning the challenge of identifying the breach, and seeing through the remediation and recovery.
Below is a breakdown of what we did:

1. Took a copy of the suspect files that we identified on the server.
2. Immediately reviewed (and validated) access logs for SSH.
3. Ran a git clean to restore the site to a state of as-deployed-from-CI/CD
4. Investigated file contents and ran analysis of contents to identify the scope of breach.
5. As we learned that the shell ran as our web user, and had potential access to the SQL backup file, we took the decision to rebuild our server from scratch. This went as follows:
6. An ENTIRELY NEW server was created (copying NO files from the previous).

Server was configured for:

1. Ubuntu latest LTS version.
   
2. No root access allowed.
   
3. Cloudflare Zero-Trust SSH tunnel access only.
   
4. Laravel Forge login.
   
5. Dedicated AV scanner in place.
   
6. Crowdsec security installed to monitor activity on the box.
   

7. A review was taken and we decided that:
   Access to the server should be restricted to Devops/Devsec only.
   All access will have to pass through Cloudflare ZTNA.

8. A review of the code would be made to ensure that we are running up-to-date libraries and functions where possible.
   A review of our PHP functions would be taken to ensure that any redundant/obsolete or excessive functions would be removed.
   We would more regularly re-deploy our server through our CI/CD stack to ensure that only those files which we allow through our repository exist on the server.
   We also took the decision to step up our security efforts by creating a dedicated security team, both for our code (already in place) but also for our infrastructure, where this was not previously clearly defined.

9. We then, naturally, informed you guys. As part of this:
   We are advising that ALL USERS reset their password (we're forcing it). This is due to the database having been available on the server, whilst we encrypt ALL of our passwords with a strong hash, we did not wish to risk any potential further impact to our users.
   We developed a framework for transparent communications of any issues going forwards.

No compromise of a system is ever easy, and we very much know that we have learned lessons the hard way.

What we learnt?

We unfortunately identified a number of shortfalls in our processes, and we know that you absolutely deserve better. That’s why we’re announcing our difficult lessons learned.

1. We will be conducting regular security reviews of our full stack, from code to infrastructure to ensure that we maintain secure access at all times.
2. We will be regularly reviewing all configurations and ensuring that we keep up-to-date with the latest best practises for security and development.
3. Starting from today, we already have forced a reset of all user passwords to ensure that we do not risk user compromise.

What we are doing to fix this going forwards

As outlined, we will be moving our stack to a new server which has security at it’s forefront. All access will now be governed through a ZTNA pipeline provided by Cloudflare, and access will be restricted to these tunnels. This significantly reduces the attack surface and ensures that all access is explicitly defined.
We will also be more granularly segregating our web stack to reduce the attack surface between our offerings - From flarum.org, Discuss.flarum.org and Next.flarum.org.
Alongside this, we are also working to introduce a new Cyber Security Team internally who will be responsible for the maintenance and security of the systems and will handle any updates, deployments and changes to our infrastructure from here. This will ensure that our systems are vetted prior to any changes and that our stack is regularly assessed for threats.
We will also be deploying next generation EDR to not only detect, but automatically alert and remediate on threats as they are discovered on our systems.
We will also be drafting, and distributing, dedicated cyber playbooks for should an incident such as this happen again. The unfortunate incident that we have dealt with in this instance highlighted a need for a process to follow and as such we lost valuable time and information which may have assisted with remediation and recovery as well as transparent reporting.
If you have any further questions or concerns, we meant what we said about transparency. Please do reach out to us below or by DM and we will be happy to answer what we can.
We thank you for your continued support and patience, and we look forward to continuing to serve the greatest forum content.
`- The Flarum Staff Team.

v1.8.0 - Quoll

---

📣 The Release

---

We are delighted to announce the release of the final scheduled installment in the 1.x series, marking the culmination of an extensive period of development and refinement. This release is primarily dedicated to addressing various bugs and bolstering performance, ensuring a smoother and more reliable experience for our users. As we bid farewell to the 1.x series, we would like to express our gratitude to our loyal users for their invaluable support and collaboration. Now, let's delve into the key highlights of this release:

• 👨‍💻 You can now mention tags in posts (flarum/framework3769).
• 🚪 Users can be given permission to delete their own posts (flarum/framework3784).
• 🔓 New users can be created from the user admin page (flarum/framework3744).
• 🛠️ Extensions can be enabled/disabled from a CLI command (flarum/framework3816).
• 🔍 Improved post creation time (flarum/framework3808).
• 🧪 And a whole lot of performance improvements and bugs fixed

This release closes the successfully funded bounty for mentioning tags, as well as a high-voted proposal for the new permission added in this release. We want to highlight this to make you consider posting your idea in depth inProposals so it maybe gets picked up either as aBounty or as a high-voted proposal - you can see this here: https://discuss.flarum.org/t/proposals?sort=votes

👨‍💻 For Developers

---

Extensions compatible with 1.7 should still operate on Flarum 1.8 without any changes. However, depending on what JavaScript changes your extension makes and how it makes them, we recommend looking through some of the frontend facing changes made: https://github.com/flarum/framework/issues?q=is%3Aopen+is%3Aissue+label%3Ajavascript.
Additionally, this release introduces conditional extenders, which allow you to add extenders based on a condition, such as whether an extension is enabled: flarum/framework3759.
Checkout the full upgrade guide. Feel free to provide feedback or report any encountered issues!

⤴️ Upgrading

---

Before you upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typing php flarum info. If you're not, use the previous release announcement for upgrading from an earlier version.
To upgrade from 1.0 or 1.7 to 1.8, take a look at our upgrade guide documentation. The process should be much easier compared to previous major version upgrades, due to the lack of breaking changes.

If you run into any issues, please open a new discussion under the tagUpgrading. Ignore similar discussions and open a new one anyhow. Make sure to mention the output of php flarum info, composer why-not flarum/core v1.8.0, and any errors to their fullest.

😇 Thanks to our Sponsors

---

Financial donations keep Flarum alive and kicking. The following companies and people deserve credit for making Flarum sustainable:

• Glowing Blue AG.
• Sridhar Kamma.
• Lincoln Russell.
• Bart van Bragt.
• Circuit Dojo.
• David Wheatley.
• Rad Web Hosting.
• Seaborn.
• Timotheus Pokorra.
• JrdnHnz.
• Jai Gupta.
• Guoqing Zou.
• Miguel A. Lago.
• Alexander Skvortsov.
• Jeannes Bryan.

Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !

Thanks for being awesome 😍 !

🙇‍♀️ Acknowledgements

---

Flarum wouldn't be the same without our over one hundred contributors, along with their generous time commitments! For this release we specifically thank these wonderful people:

• The non-team contributors that usually tackle unplanned, but extremely welcomed bugs or overhauls. We absolutely love contributions that help us move forward, so thank you very much:
  @n-peugnet @rob006 @datlechin @iPurpl3x @rafaucau @exside.
• The core and staff team contributors, people that have vast knowledge of the code base who sacrifice their free time to bring the awesome Flarum software to you, for free. Thank you so much:
  @askvortsov @SychO @davwheat @luceos @IanM @clarkwinkelmann @OrdinaryJellyfish
• The community staff is the foundation to a warm and welcoming community. Many cheers for all you do:
  @jordanjay29 @GreXXL
• The well-oiled machine that is the translation team, keeping up with new languages, their maintainers and the translations perfectly well. Very, very much appreciated:
  @GreXXL @Justoverclock @rob006
• All our additional staff who all help us where we need it most:
  @tankerkiller125 @datitisev @Deebug @katos @victorparedes.
• A great shout out to everyone who's submitted carefully described issues and suggestions, especially:
  @iPurpl3x, UserZHTW, flawedworld, tarjeiba, @Eldenroot, @Nearata, @n-peugnet, fakerybakery, @matteocontrini, @jslirola, @Darkle, rebelC0der.
• And the whole community sharing their passion for Flarum, urging us on!

🆘 Support the Project

---

We need your support to:

• Guarantee continued development on the software.
• Create a valuable ecosystem around the project.
• Ensure healthy extensions are available.

You can support us:

• 👕 By getting some swag from our merchandise store!
• 💵 By becoming a Supporter or Sponsor on Discuss, backing us on Open Collective or on GitHub.
• 🤟 By supporting new features with your pledge in ourProposals.
• 👩‍💻 By contributing to the source code, hop onto any of our open issues.
• 📈 By creating your own Flarum extensions and sharing them with the world!
• 🌎 By translating Flarum and extensions into your own language.
• 💝 By sharing your love for Flarum with friends, family and on the internet.
• 💬 By hanging out with us, here on discuss!

For installation instructions check our installation documentation. If you are interested in developing extensions for Flarum, check the extend section there.

Hello everyone,

2023 has become a year of change for Flarum.
But first, let me give you a drilldown of how we came to the Flarum of today, for those of you who are new.

Flarum up till now
On December 20th 2014, Flarum was open sourced, canceling a running fundraiser for a software as a service on Kickstarter in favor of making "better forums for everyone". Merging the efforts on Esotalk and FluxBB, Toby Zerner and Franz Liedke respectively combined their efforts to work on a fully open, lean and extensible community software under the Flarum name.
These two - with a team of zealous others - as the core team, spent their free time working on the early beta’s of a forum software impressing with fresh looks, extreme extensibility and a simple stack for small to corporate communities on shared and scalable hosting environments.
In 2019, the Flarum Foundation was set up to safeguard the open source nature of Flarum, protect its source code to the benefit of the community. Two years later the first stable version was released, a tremendous effort of people sacrificing their leisure time for the Flarum cause. Running into many issues with gaining sustainability for the project, early 2022 Blomstra was founded to answer the call for professional services in the ecosystem and invest back into the project unconditionally.
Progress on the Flarum project rest on the shoulders of a small group of people. Expectations, as such, are hard to meet with the amount of capacity we have. For this reason, attracting and retaining stable sources of income for the project have been a focus these past couple of years. And these efforts bear their fruits in 2023.
Flarum Commercial
Within the next couple of months we will unify many of the ecosystem portals into one central place for everything Flarum. In addition to the Flarum Foundation, to safeguard Flarum as a stable, maintained and healthily developed-on product, a commercial entity is incorporated that operates under the same name. This company is merging the Flarum website, Extiverse and Blomstra features and services into one new website for centralised information, news and services related to Flarum.
Other open source projects, like Zammad, GitLab, Vanilla and Discourse, have taken a similar approach with great success and managed Flarum hosting and custom Flarum development have shown to generate sufficient income to support some of our core developers. Pursuing this further, like others before us, will hopefully allow us to strengthen this approach and increase our hiring capacity for the future by making them more centrally available.
It's important to remember that Flarum will always remain open source and the new website will be transparent about this. For those who have already adopted Flarum or are new to it, nothing will change going forward.
You can take a peak at what’s in store for the new website at https://next.flarum.org (work in progress).

NLnet Grant
Our efforts to attract funding have, after several failed attempts, lead to the project now receiving a grant from NLnet. NLnet, having played a major role in the creation of the internet as we know today, is a foundation to stimulate network research and development in the domain of Internet technology. The application for a grant to build Flarum v2.0 with their help, has resulted in acquiring a total budget of 50.000 euro to work on the following topics:

• Upgrading stale dependencies, like Laravel and Mithril;
• Moving from Less to Sass in compiling stylesheets;
• Support for search drivers in the backend;
• Improvements to search in the frontend (ux/ui);
• GDPR compliance;
• Code splitting of auto-generated javascript files;
• Tests for the frontend;
• Theme design improvements;
• Database drivers, like Postgres;
• Plugin manager;
• Improvements to the JSONAPI;
• Security audit;
• Accessibility audit;
• Federation;
• Automating community extension upgrades;
• Email unsubscribing.

These items, part of our original application towards the grant, have been taken from our own roadmap and the list of community provided proposals.
As the grant is strictly provided towards the technical implementation of the 2.0 roadmap and participants are paid out directly by NLnet, we opted to split the budget between two people. This would improve the speed of development as reviews can be performed quickly and collaboration will be synchronized. I’m glad that Sami @SychO , as the lead developer of our project and Ian @IanM, as core developer and lead of the Friends of Flarum, have agreed to work under this arrangement effective immediately.
Although we still have to release v1.8 before starting work on v2.0, you can expect a lot of activity going forward. I hope to be able to keep you all in the loop of everything that is happening.
I am thrilled about 2023, all these things coming together is going to be a huge boost to Flarum and its adoption. I love to hear what you think, do leave a reply.