From: "Adam Heath" <
[hidden email]>
> I've added 2 major(ish) new features recently.
>
> * salt-based password hashing(with base64 encoding)
> * key-encrypting-key(kek) support.
>
> The salt-based psasword feature was written when JIRA was hacked
> several years ago; JIRA is based on an old version of OfBiz, so this
> change could be considered a bug fix.
I guess you will document the backports in and then close
https://issues.apache.org/jira/browse/OFBIZ-1151https://issues.apache.org/jira/browse/OFBIZ-3006For Jira: I guess Atlassian has already taken all the needed precautions
> kek support is a new feature, however, so generally that wouldn't be
> backported. However, I feel strong enough about the
> coolness/usefulness factor for this feature that I feel it really
> *does* need to be backported.
I'm for it, the more secure OFBiz is the better! Now I think it's not only to both of us to decide about such a thing, opinions?
For user it would be great to also create a Jira, instantly closed (sub-task of
https://issues.apache.org/jira/browse/OFBIZ-1525)
> So, I guess I'm asking for verification: Which of these features
> should really be backported, and to which target branches?
We decided to no longer backport to releases under 10 (too much conflicts) so would be 10, 11 & 12 releases branches. You could do
an exception for R09.04 if you feel it's OK.
My 2cts
Jacques
> ps: kek support *requires* the new hashing changes.
>
> pps: I've already backported both of these to our internal 902021
> branch(which is pre-10.04); so it would be possible for me to even go
> back that far.
Locked
