What have you done to upgrade security?

Henry Sudhof: We have taken security very seriously for this release. This started with an API for input handling, which enforces strict types. This alone locks out a vast number of possible nasty surprises. Then our database abstraction layer does a very similar job at the other end; it automatically ensures that all parameters are properly escaped. Then we also have API functions for various security aspects, like preventing CSRF and handling file uploads. Our security API is certainly among the major new aspects in phpBB3.

To make sure that our ideas are sound, we hired the PHP security expert Stefan Esser to perform an audit on our code. His recommendations were then introduced into phpBB 3 as well.

Why was phpBB released as a free and open source bulletin board?

Henry Sudhof: It was always open source and will always be open source. Believing in open source is the unifying trait for all contributors of phpBB. We really want to make a good, free product - and to have fun while we are at it.

What development model does the phpBB team use?

Henry Sudhof: As phpBB evolves, so does our process. Earlier versions had a tiny code base compared to the things we will do next. While coding for phpBB is a pastime activity for most developers, it is taken very seriously. For 3.0, we used the repository to get something related to distributed Extreme Programming. We are setting up a new Q&A infrastructure including Unit-Tests to follow a relaxed V-model while designing the next versions, taking a few hints from OWASP.

What does your dev environment consist of?

Henry Sudhof: We are using a Redmine installation and SVN; for synchronising our efforts we are using - shocking - phpBB. The developers use a wide array of tools, ranging from the various supported database systems to IDEs and text editors, as well as many different operating systems.

Do you think PHP stands out as the best language for bulletin boards and why?

Henry Sudhof: PHP is omnipresent, for easy-to-use software like phpBB that runs on almost any webspace-hosting package. There is no viable alternative.

Some people have said that the latest release (phpBB3) is much more difficult to use, due to its increased features and complexity. Do you agree, and will the dev team consider making the next release more user friendly?

Meik Sievertsen: Generally, you need to differentiate here between the users utilizing the forum, the admins that set it up and use the admin tools, and those writing modifications. With an increased feature set and using current development techniques comes complexity and an increased learning curve.

To give an example, many admins said that the permission system is too complex. But once they got used to it they said that it actually is a lot more powerful and quite easy to use. The difference here is that phpBB2 had a very tiny learning curve due to the bare feature set, but phpBB3 is having a higher learning curve - especially for admins and those wanting to write modifications and dive into the code. But once learned it is as with phpBB2 - easy to use and administrate. Actually, we are quite happy about the compromise we chose, a mix between simplicity and features.

Regarding user friendliness (those surfing the forum, writing posts, participating, communicating) it is - to our belief - much better than phpBB2. We put a lot of thought into an intuitive GUI design and into making sure all functions are easily accessible.

The code is much more complex. We have strict coding guidelines in place to make sure the code follows our paradigm regarding code readability and portability. Those knowing phpBB2 are faced with a completely different code structure and different techniques so they need to learn new things. Those diving into the phpBB3 code usually do not know how bad phpBB2 was. Therefore, they are "home" instantly.

As of future developments, of course we will try to improve the code base and the front end. phpBB3 marked a real milestone and we will try to build upon it, because there is still a lot to improve in several areas. User feedback is, as always, very important to us so we can make sure it is about the user and the community.