Taking a decision on remaining Jars in OFBiz

> Hello Everyone,
>
> The total number of remaining jars in OFBiz is 13. We worked as hard as we
> can to remove everything but hit this limit. The jars belong to:
> - cmssite component
> - ebaystore component
> - the tools directory
> - one remaining library in framework (jpim)
>
> We need to take a decision on what to do next. I would like to propose the
> following:
>
> 1- Delete all the jars for the cmssite component. Everything compiles and
> all tests run.
> 2- Disable the ebaystore component (or alternatively delete it). The
> libraries are hard to find relating to the ebay SDK and none seem to be
> published in JCenter

> Le 29/07/2016 à 13:56, Taher Alkhateeb a écrit :
>> - ./framework/base/lib/jpim-0.1.jar (used for contacts management)
> I propose to :
> * open an issue
> * remove the lib
> * comment the related break code
> applications/marketing/src/main/java/org/apache/ofbiz/sfa/vcard/VCard.java
> with a fixme
> * return error when the service is call with explain the pb and all
> contribution are welcome :)
> Nicolas
>
>

> On Fri, Jul 29, 2016 at 1:56 PM, Taher Alkhateeb <[hidden email]
>> wrote:
>
>> ...
> - ebaystore component
> The jars in the ebaystore components are licensed under the CDDL licence,
> that is addressed by the following ASF licensing rules:
>
> http://www.apache.org/legal/resolved.html#category-b
>
> I am not sure I fully grasp all the details but I think that it would be
> safer, to be sure we adhere to the licensing policies, if we not bundle
> these jars in our releases.
> Based on the above, my preference is to remove these jars, disable the
> component, add a README file to the component to explain how to download
> the jars and deploy it.

> Inline
>
>
> Le 05/08/2016 à 10:33, Jacopo Cappellato a écrit :
>
>> On Fri, Jul 29, 2016 at 1:56 PM, Taher Alkhateeb <
>> [hidden email]
>>
>>> wrote:
>>>
>>
>> ...
>>>
>> - ebaystore component
>> The jars in the ebaystore components are licensed under the CDDL licence,
>> that is addressed by the following ASF licensing rules:
>>
>> http://www.apache.org/legal/resolved.html#category-b
>>
>> I am not sure I fully grasp all the details but I think that it would be
>> safer, to be sure we adhere to the licensing policies, if we not bundle
>> these jars in our releases.
>> Based on the above, my preference is to remove these jars, disable the
>> component, add a README file to the component to explain how to download
>> the jars and deploy it.
>>
>
> +1
>
> - the tools directory
>>>
>>> In my opinion we should start thinking about moving this folder outside
>> of
>> the trunk:
>>
>> trunk
>> tags
>> branches
>> tools
>>
>
> +1, using svn:externals tools could be easily embedded in a main OFBiz
> working copy. BTW, the 2 sub-folders are mostly intended to be used in
> production
>
> Jacques
>
>
>> Jacopo
>>
>>
>

> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>
>> +1 makes sense
>>
>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure and
>> replace them with some scripts in /tools if people are not using them? (I
>> assume we only use them with demos?)
>>
>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<[hidden email]>
>> wrote:
>>
>
> Nope, those are intended to be used in production if ever you need it.
>
> See the warning there https://cwiki.apache.org/confl
> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>
> Jacques
>
>

> Why isn't whatever functionality 'ofbizSecure' provides, just included as
> part of the regular 'ofbiz' task?
>
> On 5 August 2016 at 21:35, Jacques Le Roux <[hidden email]
> <javascript:;>>
> wrote:
>
> > Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
> >
> >> +1 makes sense
> >>
> >> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
> and
> >> replace them with some scripts in /tools if people are not using them?
> (I
> >> assume we only use them with demos?)
> >>
> >> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<[hidden email]
> <javascript:;>>
> >> wrote:
> >>
> >
> > Nope, those are intended to be used in production if ever you need it.
> >
> > See the warning there https://cwiki.apache.org/confl
> > uence/display/OFBIZ/Keeping+OFBiz+secure for details
> >
> > Jacques
> >
> >
>

> Why isn't whatever functionality 'ofbizSecure' provides, just included as
> part of the regular 'ofbiz' task?
>
> On 5 August 2016 at 21:35, Jacques Le Roux <[hidden email]>
> wrote:
>
>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>>
>>> +1 makes sense
>>>
>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure and
>>> replace them with some scripts in /tools if people are not using them? (I
>>> assume we only use them with demos?)
>>>
>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<[hidden email]>
>>> wrote:
>>>
>> Nope, those are intended to be used in production if ever you need it.
>>
>> See the warning there https://cwiki.apache.org/confl
>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>>
>> Jacques
>>
>>

> The idea is that by default the task does not do much. You have to follow
> the advices they give to make it really effective (filling a white list is
> the better way)
>
> That's why I separated it from the rest to make it more obvious for users.
>
> Currently "gradlew tasks" gives you this information
>
> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
> pre-loading the notsoserial Java agent
> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup commands
> in background (secure mode) and output to console.log
>
> Jacques
>
>
>
> Le 06/08/2016 à 03:33, Scott Gray a écrit :
>
>> Why isn't whatever functionality 'ofbizSecure' provides, just included as
>> part of the regular 'ofbiz' task?
>>
>> On 5 August 2016 at 21:35, Jacques Le Roux <[hidden email]>
>> wrote:
>>
>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>>>
>>> +1 makes sense
>>>>
>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
>>>> and
>>>> replace them with some scripts in /tools if people are not using them?
>>>> (I
>>>> assume we only use them with demos?)
>>>>
>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<[hidden email]
>>>> >
>>>> wrote:
>>>>
>>>> Nope, those are intended to be used in production if ever you need it.
>>>
>>> See the warning there https://cwiki.apache.org/confl
>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>>>
>>> Jacques
>>>
>>>
>>>
>

>
> Taher Alkhateeb
>
> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> The idea is that by default the task does not do much. You have to follow
>> the advices they give to make it really effective (filling a white list is
>> the better way)
>>
>> That's why I separated it from the rest to make it more obvious for users.
>>
>> Currently "gradlew tasks" gives you this information
>>
>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
>> pre-loading the notsoserial Java agent
>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup commands
>> in background (secure mode) and output to console.log
>>
>> Jacques
>>
>>
>>
>> Le 06/08/2016 à 03:33, Scott Gray a écrit :
>>
>>> Why isn't whatever functionality 'ofbizSecure' provides, just included as
>>> part of the regular 'ofbiz' task?
>>>
>>> On 5 August 2016 at 21:35, Jacques Le Roux <[hidden email]>
>>> wrote:
>>>
>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>>>> +1 makes sense
>>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
>>>>> and
>>>>> replace them with some scripts in /tools if people are not using them?
>>>>> (I
>>>>> assume we only use them with demos?)
>>>>>
>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<[hidden email]
>>>>> wrote:
>>>>>
>>>>> Nope, those are intended to be used in production if ever you need it.
>>>> See the warning there https://cwiki.apache.org/confl
>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>>>>
>>>> Jacques
>>>>
>>>>
>>>>

> Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit :
>
>> Hi Jacques,
>>
>> I think that filling the white list ,etc ... might be something to keep in
>> the page on securing OFBiz (documentation).
>>
>
> I prefer to have a direct link to notsoserial documentation to be sure
> it's up to date. That's what I did on the related wiki page
>
> I understand your point about
>> making it more "explicit" which makes sense, it has, however, the downside
>> of making the users aware that there are different tasks to run, and also
>> the rc scripts need to be modified to production and might be confusing
>> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be too
>> many options to choose from in a production environment.
>>
>> No strong opinion, but I am suggesting to make it a little easier for
>> people with a less-is-more kind of approach.
>>
>
> What would you suggest? It seems to me that removing these options would
> degrade the information about rare but possible vulnerabilities
>
> Jacques
>
>
>> Taher Alkhateeb
>>
>> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>> The idea is that by default the task does not do much. You have to follow
>>> the advices they give to make it really effective (filling a white list
>>> is
>>> the better way)
>>>
>>> That's why I separated it from the rest to make it more obvious for
>>> users.
>>>
>>> Currently "gradlew tasks" gives you this information
>>>
>>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
>>> pre-loading the notsoserial Java agent
>>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup commands
>>> in background (secure mode) and output to console.log
>>>
>>> Jacques
>>>
>>>
>>>
>>> Le 06/08/2016 à 03:33, Scott Gray a écrit :
>>>
>>> Why isn't whatever functionality 'ofbizSecure' provides, just included as
>>>> part of the regular 'ofbiz' task?
>>>>
>>>> On 5 August 2016 at 21:35, Jacques Le Roux <
>>>> [hidden email]>
>>>> wrote:
>>>>
>>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>>>>
>>>>> +1 makes sense
>>>>>
>>>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
>>>>>> and
>>>>>> replace them with some scripts in /tools if people are not using them?
>>>>>> (I
>>>>>> assume we only use them with demos?)
>>>>>>
>>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<jacques.le.roux@les7arts
>>>>>> .com
>>>>>> wrote:
>>>>>>
>>>>>> Nope, those are intended to be used in production if ever you need it.
>>>>>>
>>>>> See the warning there https://cwiki.apache.org/confl
>>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>>
>>>>>
>

> Hi Jacques,
>
> As I referred to earlier I suggest the following:
>
> - remove ofbizSecure and ofbizBackgroundSecure
> - make all other server tasks secure by default (i.e. loading notsoserial
> and all other jvm args which are currently used in ofbizSecure). This means
> ofbiz, ofbizBackground and ofbizDebug
> - update the documentation so that users need not worry about calling any
> secure tasks. So they only need to do custom work such as the whitelist,
> etc ...
>
> I am not sure but I think there is no performance penalty right? That is
> why I suggest lumping them together.
>
> Taher Alkhateeb
>
> On Aug 6, 2016 11:40 AM, "Jacques Le Roux" <[hidden email]>
> wrote:
>
>> Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit :
>>
>>> Hi Jacques,
>>>
>>> I think that filling the white list ,etc ... might be something to keep in
>>> the page on securing OFBiz (documentation).
>>>
>> I prefer to have a direct link to notsoserial documentation to be sure
>> it's up to date. That's what I did on the related wiki page
>>
>> I understand your point about
>>> making it more "explicit" which makes sense, it has, however, the downside
>>> of making the users aware that there are different tasks to run, and also
>>> the rc scripts need to be modified to production and might be confusing
>>> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be too
>>> many options to choose from in a production environment.
>>>
>>> No strong opinion, but I am suggesting to make it a little easier for
>>> people with a less-is-more kind of approach.
>>>
>> What would you suggest? It seems to me that removing these options would
>> degrade the information about rare but possible vulnerabilities
>>
>> Jacques
>>
>>
>>> Taher Alkhateeb
>>>
>>> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux <
>>> [hidden email]> wrote:
>>>
>>> The idea is that by default the task does not do much. You have to follow
>>>> the advices they give to make it really effective (filling a white list
>>>> is
>>>> the better way)
>>>>
>>>> That's why I separated it from the rest to make it more obvious for
>>>> users.
>>>>
>>>> Currently "gradlew tasks" gives you this information
>>>>
>>>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
>>>> pre-loading the notsoserial Java agent
>>>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup commands
>>>> in background (secure mode) and output to console.log
>>>>
>>>> Jacques
>>>>
>>>>
>>>>
>>>> Le 06/08/2016 à 03:33, Scott Gray a écrit :
>>>>
>>>> Why isn't whatever functionality 'ofbizSecure' provides, just included as
>>>>> part of the regular 'ofbiz' task?
>>>>>
>>>>> On 5 August 2016 at 21:35, Jacques Le Roux <
>>>>> [hidden email]>
>>>>> wrote:
>>>>>
>>>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>>>>>
>>>>>> +1 makes sense
>>>>>>
>>>>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
>>>>>>> and
>>>>>>> replace them with some scripts in /tools if people are not using them?
>>>>>>> (I
>>>>>>> assume we only use them with demos?)
>>>>>>>
>>>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<jacques.le.roux@les7arts
>>>>>>> .com
>>>>>>> wrote:
>>>>>>>
>>>>>>> Nope, those are intended to be used in production if ever you need it.
>>>>>>>
>>>>>> See the warning there https://cwiki.apache.org/confl
>>>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>>
>>>>>>
>>>>>>

> I'd not be against but we need to be clear while documenting that it's not
> enough for security (when needed, users need to refer to the wiki page), a
> white list is necessary (again only when needed, not OOTB)
>
> I guess (at least I hope for them) most sysadmin, devops are aware of the
> possible issue, but simpler users need to be warned...
>
> Jacques
>
> Le 06/08/2016 à 12:49, Taher Alkhateeb a écrit :
>
>> Hi Jacques,
>>
>> As I referred to earlier I suggest the following:
>>
>> - remove ofbizSecure and ofbizBackgroundSecure
>> - make all other server tasks secure by default (i.e. loading notsoserial
>> and all other jvm args which are currently used in ofbizSecure). This
>> means
>> ofbiz, ofbizBackground and ofbizDebug
>> - update the documentation so that users need not worry about calling any
>> secure tasks. So they only need to do custom work such as the whitelist,
>> etc ...
>>
>> I am not sure but I think there is no performance penalty right? That is
>> why I suggest lumping them together.
>>
>> Taher Alkhateeb
>>
>> On Aug 6, 2016 11:40 AM, "Jacques Le Roux" <[hidden email]>
>> wrote:
>>
>> Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit :
>>>
>>> Hi Jacques,
>>>>
>>>> I think that filling the white list ,etc ... might be something to keep
>>>> in
>>>> the page on securing OFBiz (documentation).
>>>>
>>>> I prefer to have a direct link to notsoserial documentation to be sure
>>> it's up to date. That's what I did on the related wiki page
>>>
>>> I understand your point about
>>>
>>>> making it more "explicit" which makes sense, it has, however, the
>>>> downside
>>>> of making the users aware that there are different tasks to run, and
>>>> also
>>>> the rc scripts need to be modified to production and might be confusing
>>>> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be
>>>> too
>>>> many options to choose from in a production environment.
>>>>
>>>> No strong opinion, but I am suggesting to make it a little easier for
>>>> people with a less-is-more kind of approach.
>>>>
>>>> What would you suggest? It seems to me that removing these options would
>>> degrade the information about rare but possible vulnerabilities
>>>
>>> Jacques
>>>
>>>
>>> Taher Alkhateeb
>>>>
>>>> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux <
>>>> [hidden email]> wrote:
>>>>
>>>> The idea is that by default the task does not do much. You have to
>>>> follow
>>>>
>>>>> the advices they give to make it really effective (filling a white list
>>>>> is
>>>>> the better way)
>>>>>
>>>>> That's why I separated it from the rest to make it more obvious for
>>>>> users.
>>>>>
>>>>> Currently "gradlew tasks" gives you this information
>>>>>
>>>>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
>>>>> pre-loading the notsoserial Java agent
>>>>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup
>>>>> commands
>>>>> in background (secure mode) and output to console.log
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>>
>>>>> Le 06/08/2016 à 03:33, Scott Gray a écrit :
>>>>>
>>>>> Why isn't whatever functionality 'ofbizSecure' provides, just included
>>>>> as
>>>>>
>>>>>> part of the regular 'ofbiz' task?
>>>>>>
>>>>>> On 5 August 2016 at 21:35, Jacques Le Roux <
>>>>>> [hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>>>>>>
>>>>>> +1 makes sense
>>>>>>>
>>>>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
>>>>>>>> and
>>>>>>>> replace them with some scripts in /tools if people are not using
>>>>>>>> them?
>>>>>>>> (I
>>>>>>>> assume we only use them with demos?)
>>>>>>>>
>>>>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<jacques.le.roux@les7arts
>>>>>>>> .com
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Nope, those are intended to be used in production if ever you need
>>>>>>>> it.
>>>>>>>>
>>>>>>>> See the warning there https://cwiki.apache.org/confl
>>>>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>

> wrote:
>
> [...} I suggest the following:
>
> - remove ofbizSecure and ofbizBackgroundSecure
> - make all other server tasks secure by default (i.e. loading notsoserial
> and all other jvm args which are currently used in ofbizSecure). This means
> ofbiz, ofbizBackground and ofbizDebug
> - update the documentation so that users need not worry about calling any
> secure tasks. So they only need to do custom work such as the whitelist,
> etc ...
>
>

> I'd not be against but we need to be clear while documenting that it's not
> enough for security (when needed, users need to refer to the wiki page), a
> white list is necessary (again only when needed, not OOTB)
>
> I guess (at least I hope for them) most sysadmin, devops are aware of the
> possible issue, but simpler users need to be warned...
>
> Jacques
>
> Le 06/08/2016 à 12:49, Taher Alkhateeb a écrit :
>
>> Hi Jacques,
>>
>> As I referred to earlier I suggest the following:
>>
>> - remove ofbizSecure and ofbizBackgroundSecure
>> - make all other server tasks secure by default (i.e. loading notsoserial
>> and all other jvm args which are currently used in ofbizSecure). This
>> means
>> ofbiz, ofbizBackground and ofbizDebug
>> - update the documentation so that users need not worry about calling any
>> secure tasks. So they only need to do custom work such as the whitelist,
>> etc ...
>>
>> I am not sure but I think there is no performance penalty right? That is
>> why I suggest lumping them together.
>>
>> Taher Alkhateeb
>>
>> On Aug 6, 2016 11:40 AM, "Jacques Le Roux" <[hidden email]>
>> wrote:
>>
>> Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit :
>>>
>>> Hi Jacques,
>>>>
>>>> I think that filling the white list ,etc ... might be something to keep
>>>> in
>>>> the page on securing OFBiz (documentation).
>>>>
>>>> I prefer to have a direct link to notsoserial documentation to be sure
>>> it's up to date. That's what I did on the related wiki page
>>>
>>> I understand your point about
>>>
>>>> making it more "explicit" which makes sense, it has, however, the
>>>> downside
>>>> of making the users aware that there are different tasks to run, and
>>>> also
>>>> the rc scripts need to be modified to production and might be confusing
>>>> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be
>>>> too
>>>> many options to choose from in a production environment.
>>>>
>>>> No strong opinion, but I am suggesting to make it a little easier for
>>>> people with a less-is-more kind of approach.
>>>>
>>>> What would you suggest? It seems to me that removing these options would
>>> degrade the information about rare but possible vulnerabilities
>>>
>>> Jacques
>>>
>>>
>>> Taher Alkhateeb
>>>>
>>>> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux <
>>>> [hidden email]> wrote:
>>>>
>>>> The idea is that by default the task does not do much. You have to
>>>> follow
>>>>
>>>>> the advices they give to make it really effective (filling a white list
>>>>> is
>>>>> the better way)
>>>>>
>>>>> That's why I separated it from the rest to make it more obvious for
>>>>> users.
>>>>>
>>>>> Currently "gradlew tasks" gives you this information
>>>>>
>>>>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
>>>>> pre-loading the notsoserial Java agent
>>>>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup
>>>>> commands
>>>>> in background (secure mode) and output to console.log
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>>
>>>>> Le 06/08/2016 à 03:33, Scott Gray a écrit :
>>>>>
>>>>> Why isn't whatever functionality 'ofbizSecure' provides, just included
>>>>> as
>>>>>
>>>>>> part of the regular 'ofbiz' task?
>>>>>>
>>>>>> On 5 August 2016 at 21:35, Jacques Le Roux <
>>>>>> [hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
>>>>>>
>>>>>> +1 makes sense
>>>>>>>
>>>>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
>>>>>>>> and
>>>>>>>> replace them with some scripts in /tools if people are not using
>>>>>>>> them?
>>>>>>>> (I
>>>>>>>> assume we only use them with demos?)
>>>>>>>>
>>>>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<jacques.le.roux@les7arts
>>>>>>>> .com
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Nope, those are intended to be used in production if ever you need
>>>>>>>> it.
>>>>>>>>
>>>>>>>> See the warning there https://cwiki.apache.org/confl
>>>>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>

> I would suggest enabling the whitelist by default, adding whatever classes
> OFBiz needs OOTB and then having a clear failure message in the logs when a
> custom class fails serialization.  Would that work?
>
> Regards
> Scott
>
> On 6/08/2016 23:13, "Jacques Le Roux" <[hidden email]
> <javascript:;>> wrote:
>
> > I'd not be against but we need to be clear while documenting that it's
> not
> > enough for security (when needed, users need to refer to the wiki page),
> a
> > white list is necessary (again only when needed, not OOTB)
> >
> > I guess (at least I hope for them) most sysadmin, devops are aware of the
> > possible issue, but simpler users need to be warned...
> >
> > Jacques
> >
> > Le 06/08/2016 à 12:49, Taher Alkhateeb a écrit :
> >
> >> Hi Jacques,
> >>
> >> As I referred to earlier I suggest the following:
> >>
> >> - remove ofbizSecure and ofbizBackgroundSecure
> >> - make all other server tasks secure by default (i.e. loading
> notsoserial
> >> and all other jvm args which are currently used in ofbizSecure). This
> >> means
> >> ofbiz, ofbizBackground and ofbizDebug
> >> - update the documentation so that users need not worry about calling
> any
> >> secure tasks. So they only need to do custom work such as the whitelist,
> >> etc ...
> >>
> >> I am not sure but I think there is no performance penalty right? That is
> >> why I suggest lumping them together.
> >>
> >> Taher Alkhateeb
> >>
> >> On Aug 6, 2016 11:40 AM, "Jacques Le Roux" <
> [hidden email] <javascript:;>>
> >> wrote:
> >>
> >> Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit :
> >>>
> >>> Hi Jacques,
> >>>>
> >>>> I think that filling the white list ,etc ... might be something to
> keep
> >>>> in
> >>>> the page on securing OFBiz (documentation).
> >>>>
> >>>> I prefer to have a direct link to notsoserial documentation to be sure
> >>> it's up to date. That's what I did on the related wiki page
> >>>
> >>> I understand your point about
> >>>
> >>>> making it more "explicit" which makes sense, it has, however, the
> >>>> downside
> >>>> of making the users aware that there are different tasks to run, and
> >>>> also
> >>>> the rc scripts need to be modified to production and might be
> confusing
> >>>> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be
> >>>> too
> >>>> many options to choose from in a production environment.
> >>>>
> >>>> No strong opinion, but I am suggesting to make it a little easier for
> >>>> people with a less-is-more kind of approach.
> >>>>
> >>>> What would you suggest? It seems to me that removing these options
> would
> >>> degrade the information about rare but possible vulnerabilities
> >>>
> >>> Jacques
> >>>
> >>>
> >>> Taher Alkhateeb
> >>>>
> >>>> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux <
> >>>> [hidden email] <javascript:;>> wrote:
> >>>>
> >>>> The idea is that by default the task does not do much. You have to
> >>>> follow
> >>>>
> >>>>> the advices they give to make it really effective (filling a white
> list
> >>>>> is
> >>>>> the better way)
> >>>>>
> >>>>> That's why I separated it from the rest to make it more obvious for
> >>>>> users.
> >>>>>
> >>>>> Currently "gradlew tasks" gives you this information
> >>>>>
> >>>>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
> >>>>> pre-loading the notsoserial Java agent
> >>>>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup
> >>>>> commands
> >>>>> in background (secure mode) and output to console.log
> >>>>>
> >>>>> Jacques
> >>>>>
> >>>>>
> >>>>>
> >>>>> Le 06/08/2016 à 03:33, Scott Gray a écrit :
> >>>>>
> >>>>> Why isn't whatever functionality 'ofbizSecure' provides, just
> included
> >>>>> as
> >>>>>
> >>>>>> part of the regular 'ofbiz' task?
> >>>>>>
> >>>>>> On 5 August 2016 at 21:35, Jacques Le Roux <
> >>>>>> [hidden email] <javascript:;>>
> >>>>>> wrote:
> >>>>>>
> >>>>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
> >>>>>>
> >>>>>> +1 makes sense
> >>>>>>>
> >>>>>>> Should we also remove the tasks ofbizSecure and
> ofbizBackgroundSecure
> >>>>>>>> and
> >>>>>>>> replace them with some scripts in /tools if people are not using
> >>>>>>>> them?
> >>>>>>>> (I
> >>>>>>>> assume we only use them with demos?)
> >>>>>>>>
> >>>>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le
> Roux"<jacques.le.roux@les7arts
> >>>>>>>> .com
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> Nope, those are intended to be used in production if ever you need
> >>>>>>>> it.
> >>>>>>>>
> >>>>>>>> See the warning there https://cwiki.apache.org/confl
> >>>>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details
> >>>>>>>
> >>>>>>> Jacques
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >
>