@DownPW said in NodeBB v3.0.0-rc.1 — The release candidate:

./nodebb stop
git fetch && git checkout develop && git reset --hard origin/develop
./nodebb upgrade
./nodebb start

Thanks. My test forum is now on v3.0.0-rc.1.

@julian @baris Thanks for v3 🤓

@DownPW thanks! The less time of mine the spammers waste, the better.

hey ho and me @cagatay lol

We will be dropping support for nodejs 14.x in nodebb 3.x.

Nodejs 14 will be out of maintenance in april 2023 and some of our dependencies no longer support it.

You can see nodejs release schedule here https://github.com/nodejs/release#release-schedule

I wanted to provide an update to my robot-written post from the other day regarding NodeBB and the Docker Hub.

On the 14th of March, we received an email from Docker which laid out in plain terms that we were on a plan that was to-be-sunset, and that all of our data was to be deleted.

If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply. At any point during the 30-day period, you can restore access to your organization account if you upgrade to a paid subscription. Visit our FAQ for more information.

Looking into this, it does appear that the NodeBB organization is on the "Docker Free Team" plan. We've been using the Docker Hub as a means to distribute our images as it seems to be the de facto gathering point for people using Docker. There's an implicitly guarantee of quality since the NodeBB image is published by NodeBB, the organization.

So, it seems like all of our historical images are getting deleted. Bummer!

N.B. A developer relations representative from Docker posted later on Hacker News that this didn't mean the "images" would be deleted — but only "organization data" — since that wasn't explicitly specified in the blurb above. Did you catch that in the italicized blurb above? I sure didn't. Do you believe it? I sure don't.

Is this fair?

That's a rather nuanced question with many facets. I will simply point out that the Docker organization has provided their registry for free for anyone who wanted, and it was (and still is) their perogative to do so. It also means that should they withdraw that generosity, that's also within their perogative, despite how it affects the open-source community at-large.

There's no onus on Docker to provide their services for free, and it is difficult for companies to find a pathway toward profitability, especially when costs escalate without a corresponding match in revenue.

Isn't Docker supported by NodeBB?

Not officially, no. NodeBB's stance on Docker has been passive. I like to maintain that support for the Docker image (and the Dockerfile found in our repo) is on a community-supported basis only.

The reason this is is because the main developers of NodeBB (@baris and myself) don't use Docker. It would be unfair to you, the end user, to have us try to support Docker, because we would be pretty abysmal at it. We've chosen to dedicate our time and resources elsewhere, and it does mean that our Docker implementation is minimal, perhaps lackluster.

The second part of this is that I personally (and I very specifically do not use the "company we" here, as this is my personal opinion) am not sold on containerization. I certainly understand the convenience benefits, and the security benefits, but I consider this an abstraction that actively harms low-level understanding of how software interacts with an operating system. For the same reason I eschew front-end frameworks from a career perspective, I am hesitant on going all-in on Docker or other related technologies for similar reasons. I will not go in-depth about this for now, but reserve the right to blather on about it at a later date 😄

I also realize that Docker is a very popular tool. The fact that it has become a household term for so many developers is a rather strong signal that containerization is The Real Deal. It is very possible that there may be a fundamental shift in the operations space away from pure ops and towards DevOps in the future that will necessitate action on our part. However, I don't think we are there right now, and I feel that this move from Docker may have set this line of thinking back for some time to come.

Isn't NodeBB open-source? Can't you apply for an open-source account?

Yes, and no.

NodeBB is an open-source product. Our code is hosted on GitHub (thanks Microsoft!), and licensed under the GPL v3 license.

At the same time, we have chosen to make this our livelihood. @baris and I have managed (with @psychobunny, for many years) to build a forum platform that can sustain our families, and allow us to spend at least part of our time on the open-source aspect of NodeBB. We offer professional consultation, theme design, custom plugins (both private and public), and a SaaS platform where you can have us host and maintain your own NodeBB, for a fee.

Docker considers this a violation of their open-source qualification criteria:

Not have a pathway to commercialization. Your organization must not seek to make a profit through services or by charging for higher tiers. Accepting donations to sustain your efforts is permissible.

They have chosen to support the most vulnerable open-source developers, the ones who contribute and maintain open-source projects just for the benefit to the world, and that's commendable. We do not fit that narrow scope, and that's fine too.

What happens now?

Docker wants us to pay to use the Docker Hub, and we have decided not to for the aforementioned reasons above.

Community members have already shared their thoughts with us, and are even helping us transition away from Docker Hub. We really appreciate them! We have no vested interest in Docker, and with regards to containerization of NodeBB, we will go where the prevailing winds of public opinion take us. Whether that be the GitHub Container Registry, or somewhere else.

There are users whose NodeBB installs are maintained via the images on Docker Hub. We currently don't have guidance for those users, but we will in the coming days/weeks. If you are one of those users, what's important to note now is that you can no longer rely on those images being around in perpetuity.

This is an issue that — as of writing — is currently still in flux. Public opinion is heated and so are the responses from Docker.

References https://blog.alexellis.io/docker-is-deleting-open-source-images/ (Hacker News Discussion) https://www.docker.com/blog/we-apologize-we-did-a-terrible-job-announcing-the-end-of-docker-free-teams/ (Hacker News Discussion)

That is correct. A plugin should work with no breakages as long as they do not upgrade to the next major version level.

NodeBB forum admins are still advised to use the recommended plugin version in the ACP, as there is no guarantee that plugins will follow semver.

@baris Thank you! Now it's work ❤

A bug in our message parsing code can result in remote code execution.

Affected versions >=2.5.0 <2.8.7

We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers.

The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7.

If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092

I missed one from last night!

@baris added a tag filter UI to the tags page 😄

Link Preview Image Tag filter on topic list

Harmony has a tag filter on category, recent and unread pages now. This has been requested a few times on our github and on this forum and it was possible by...

favicon

NodeBB Community (community.nodebb.org)

The updates continue unabated here, as we work on updating the Harmony theme, page by page!

This past couple weeks, you might've noticed that the /users page got a refresh:

Screenshot 2023-02-10 at 15-24-08 Community.png

Almost all of the elements have remained unchanged. There is no new information here, but it's absolutely shocking to see how much more balanced the page is compared to Persona.

We also updated the flag list and details pages, to give those tireless content moderators a bit of a boost as well. You might notice that the list of flag filters in the sidebar has been updated to match the UI controls found in the /search page as well.

Screenshot 2023-02-10 at 15-21-31 NodeBB.png

Screenshot 2023-02-10 at 15-21-26 NodeBB.png

Here is how it used to look on Persona:

Screenshot 2023-02-10 at 15-19-18 NodeBB.png

Screenshot 2023-02-10 at 15-19-24 NodeBB.png

It sure does. I was very very excited when they came back. I used a Nokia 6.1 for quite awhile, until it got too slow 😐

You might have noticed the search bar integration in the Harmony theme. Similar to Persona, the search bar is omni-present, although it is in a sidebar configuration unlike Persona's top bar (there is no top bar in Harmony as per design spec) 👇

2dfd978a-3c53-4ef1-a8ae-525f10adcd59-image.png

@vladstudio and @baris recently turned their attention to the search page as another potential improvement. The main complaint was that it was difficult to use effectively, as we had a large form hidden via an expanding drawer. The ability to filter through search results was functionally complete, but the user experience was lacking.

0c3c8c86-1cde-45ca-8e83-3c10495f86a0-image.png

Per @vladstudio:

The main interface issue I wanted to fix in Search page is that:

the advanced controls are hidden by default; when opened, they jump at me all at once and occupy the entire screen.

I wanted to make the following changes:

make all controls visible by default; make them more “gradual”, so that each individual filter takes as little space as possible.

My assumptions were that:

majority of users will glance through the controls and discover them, but not use; those who do use advanced controls, will not use all of them, only a couple.

So I tried to optimize for these assumptions.

Harmony was updated with a completely re-designed search results page, that puts the content front-and-center while ensuring that you can see each filter applied, at-a-glance.

6982aef1-2a33-4547-876d-dc8ef40732b7-image.png

While the content creation and consumption aspects of forums are our primary aims with NodeBB (and the Harmony theme as well), archival is an oft-overlooked benefit as well.

The ability to retain and later find relevant content is paramount to the continued existence of forum-based communities, and it is one that is minimized or outright hidden from the end user on social media.

Do a web search on any topic under the sun, and more often than not, you'll find a forum topic with a detailed discussion about it — not a Facebook post, not a Twitter thread, not an Instagram reel.

Social media is ephemeral, forums are not. Let's keep it that way 😉

Tonight I come to you all hat-in-hand as I reveal a blunder I made over a year ago...

See, on 16 July of 2021, I was refactoring the Flags API, and adding new routes to the Write API for flags administration. While updating the API spec, I was impatient and wanted the tests to finish quicker, so I commented out a couple hundred tests so they'd run faster:

da13101f-69ce-4884-ada7-dc9ca8a1c632-image.png

I just also happened to forget to re-enable them 😱

What does this mean?

The test/api.js file dynamically generates tests to ensure that:

The Read and Write APIs are syntactically correct as per the OpenAPI spec The routes defined in our spec files match the actual routes that NodeBB serves Each route responds correctly and that their response body matches what is expected

We needed these tests because the OpenAPI spec is manually curated, and without them the spec would be out-of-sync with how NodeBB actually behaves.

So the spec is out-of-sync?

And how! I spent the past few days bringing the spec back up to date, and the PR was just merged today into bootstrap5, so as of v3, the Read API documentation will be in sync again. The Write API documentation remained in sync as those tests were enabled all along.

Conclusion

If over the latter half of 2021 and 2022, this API synchronization bit you, I apologize! The changes to the APIs were mostly minor — a couple of properties were added to different routes, although there were some properties removed or renamed.

It has certainly improves the first impression of categories page.

Nodebb should pay attention to the work of personal messages, if you think private messages on the forum is superfluous - you are very mistaken and this wretched chat kills the desire to switch to Nodebb.

As a simple user, I can change CSS to my wishlist and do something decent from this squalor. But you, as developers, could add elementary options, for example:

the ability to set the name for a private dialogue at the stage of its creation show online/offline statuses in the list of interlocutors show the status read/not read the message

These "innovations" are in all old forums, when I see a new engine in which there is no what is on the old engines, it very sad.

It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases.
You can either upgrade to 2.8.1 or only get the changes from the specific commit.

It gets even faster when you pass in development under the NODE_ENV flag!

... but of course you don't want to enable that flag in production.

@julian said in September 2022 Design Preview (New Base Theme):

We have taken a number of approaches to the design and are close to showing off another preview very soon (an actual one with real content!)

Wow! I look forward to 😳

Hi there!

Wondering what a proper object would look like for updating a users notification settings with a PUT request. The only example from the docs doesn't drill very deep (showfullname: "1") and I'm trying to understand what I should send to update a users notification preferences. The response is a string and in the network activity I can see that is just "notification" -- but trying to update settings.notificationsettings[i].emailnotification to true or false or whatever the relevant binary-type values are. Am I in the right ballpark?

Thanks!

The security advisory has now been published