Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: ALL COMPONENTS
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).

      Note that there are no proved security issue currently, just possible breaches.

      This issue should never be closed

        Issue Links

          Activity

          Hide
          Jacques Le Roux added a comment -

          Marco,

          I voluntarily put "unknown" as component as this is a cover (or hat if you prefer) issue which goal is to group together potential security issue. In other words this issue should never be closed as we don't know in advance which components might be affected by a security issue.

          Morevover ecommerce is already concerned by some potential security issues ;o)

          Show
          Jacques Le Roux added a comment - Marco, I voluntarily put "unknown" as component as this is a cover (or hat if you prefer) issue which goal is to group together potential security issue. In other words this issue should never be closed as we don't know in advance which components might be affected by a security issue. Morevover ecommerce is already concerned by some potential security issues ;o)
          Hide
          Marco Risaliti added a comment -

          Sorry Jacques, I have not seen that it was a grouped bugs.
          In this case I have used to set in the grouped bugs the sum of the components used by detailed issues.
          I didn't like unknow components.
          Otherwise we can add a new fictitious component - GROUPED ISSUES - and assign this component to this type of issue.

          Thanks
          Marco

          Show
          Marco Risaliti added a comment - Sorry Jacques, I have not seen that it was a grouped bugs. In this case I have used to set in the grouped bugs the sum of the components used by detailed issues. I didn't like unknow components. Otherwise we can add a new fictitious component - GROUPED ISSUES - and assign this component to this type of issue. Thanks Marco
          Hide
          Jonathon Wong added a comment -

          > Note that there are no proved security issue currently, just possible breaches.

          Perhaps no one has taken the time to breach the security related to these issues. However, it doesn't take much time to do so! Certain "patterns" of security mechanisms are quite textbook; the violation of these "patterns" invariably means a security hole. Proving these textbook cases is easy via maths or logic. Proving via experimentation isn't much more difficult.

          Is it a policy to wait for an actual reported breach before a textbook case is resolved? In some of my projects, I was subject to a "security audit" (like an "interview" for OFBiz) before I could even qualify for tender. None of my projects could use OFBiz security "as is"; they all needed a replacement security module.

          Show
          Jonathon Wong added a comment - > Note that there are no proved security issue currently, just possible breaches. Perhaps no one has taken the time to breach the security related to these issues. However, it doesn't take much time to do so! Certain "patterns" of security mechanisms are quite textbook; the violation of these "patterns" invariably means a security hole. Proving these textbook cases is easy via maths or logic. Proving via experimentation isn't much more difficult. Is it a policy to wait for an actual reported breach before a textbook case is resolved? In some of my projects, I was subject to a "security audit" (like an "interview" for OFBiz) before I could even qualify for tender. None of my projects could use OFBiz security "as is"; they all needed a replacement security module.
          Hide
          David E. Jones added a comment -

          Not sure what Jacques was going for with the whole proving thing... but I agree that this is no reason to not work on things.

          Your comments (Jonathon) seem to forget the driving force behind OFBiz. There is no policy per-se on this because the only policies that exist are there to coordinate contributions. For these particular problems the basic fact is that if no one contributes a fix, there will be no fix in the project. That is the definition of "community driven".

          Show
          David E. Jones added a comment - Not sure what Jacques was going for with the whole proving thing... but I agree that this is no reason to not work on things. Your comments (Jonathon) seem to forget the driving force behind OFBiz. There is no policy per-se on this because the only policies that exist are there to coordinate contributions. For these particular problems the basic fact is that if no one contributes a fix, there will be no fix in the project. That is the definition of "community driven".
          Hide
          Scott Gray added a comment -

          I think the "policy" is a bit more like this:
          If you want it, either do it or pay someone else to do it.

          Show
          Scott Gray added a comment - I think the "policy" is a bit more like this: If you want it, either do it or pay someone else to do it.
          Hide
          Sumit Pandit added a comment -

          OFBIZ-4958 is looking for member's attention. Please have a look.

          Thanks
          Sumit Pandit

          Show
          Sumit Pandit added a comment - OFBIZ-4958 is looking for member's attention. Please have a look. Thanks Sumit Pandit
          Hide
          Jacques Le Roux added a comment -

          Yes don't worry Sumit, I did not forget it...

          Show
          Jacques Le Roux added a comment - Yes don't worry Sumit, I did not forget it...
          Hide
          Sumit Pandit added a comment -

          Thanks Jacques .

          Show
          Sumit Pandit added a comment - Thanks Jacques .

            People

            • Assignee:
              Unassigned
              Reporter:
              Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:

                Development

                  Agile