I'm currently using IPB, the security patch system there is awful. If a security patch is released, they make an announcement in your AdminCP, and the announcement stays up for about a month. It does not go away if you patch the software for the flaw, nor does the software itself indicate version number or patch level.
How does XF handle security patches and their reporting?
Is there a process for reporting this in the AdminCP? If there is more than one site admin, how would he/she know if the patch is applied? A version number/patch level indicator in the admin area seems like an easy way to do this.
So it appears XF does patch reporting like IPB, announcements and email notifications with no internal reporting. vB has clear patch level reporting within the AdminCP itself, and I'd suggest XF do the same. It would save a lot of frustration for people who run multiple sites, and/or have multiple admins.
The "applied patch" is normally just a modified .php file or .swf file (in the two main cases I remember).
The best process is when a point release (which is what will happen typically if a security vulnerability is found) is released, install the point upgrade (and not the patch file). Then you see the version number in the ACP when you log in.
Patching is always better, but no reason to go through that process especially when the fix is uploading one file a process that takes 15 seconds start to finich, especially when admins are busy.
Seems like an exceptionally simple include that would help some members. Yes, security patches are rare, but exposed sites are mini-crisis points for the admins. Wouldn't it be good to make that process as clear and unconfusing as possible?
The internal versioning system does account for patch level so if they ever decide to patch as such it can be displayed. Currently doesn't as all permanent patches have been full patch versions.
I can only recall 3 incidents in my time here. 2 of them were the flash uploader and another was a flaw in php itself. None of them directly Xenforo related. If a serious issue comes up the patch is usually available with instructions but a day or two later all the vetted fixes are released with the vulnerablility patch anyways.
I asked if the current patch level was displayed, it is not if the patch alone is applied. Being informed of an outstanding unpatched vulnerability in the ACP is a separate but very important item also.
Sorry for the semantics here, but I need to get very specific info, which I now have. Thanks to all!
Just to clarify, the Install and Upgrade by Waindigo add-on does not automatically alert you if your XenForo installation is out of date, although it does have the ability to do that and if there was a serious security breach we would certainly use the broadcast system included in that add-on to alert sites that needed to upgrade their installation.