release4.0: OFBIZ-1106 (in or out?)

> Michael Jensen wrote:
>> ...
>> I'm curious to see how things pan out on this.  It will tell me how
>> seriously security is taken by the people driving ofbiz.
>>
>
> Wow... this is a huge pressure!   :-)
>
> Jacopo
>
>> Mike
>>
>>

> Lets remind everyone that there is a patch for the security.
> it is available to anyone that wants to apply it.
> I do this to my Ver 4.0 (not svn) on patches that have been done to the
> trunk.
> You can have access to all patches that are done to both the trunk and
> the branch by subscribing to the Commit ML.
>
> so the security has been addressed.
>
> this is a discussion about applying such patches to a release branch. It
> is applied to the trunk, so if you want to get the latests and greatest
> including possible bugs that the additions may cause.
> you can use the trunk for you purposes.
>
>
> Michael Jensen sent the following on 11/15/2007 10:18 AM:
>> Using that logic, you could say that almost any previous bugs were
>> really "as-implemented" features and no changes should ever be made to
>> the current release branch.
>> If it was found somewhere in ofbiz that sensitive information was
>> submitted over http instead of https, would that be considered a bug?
>> Or would it be discounted as "well, it's a bad choice but that's how it
>> was implemented"?
>>
>> I understand that the difficult thing about this is that the bug/feature
>> line has to be drawn somewhere.  (I know where I'd draw it, especially
>> on security related issues.)
>>
>> I'm curious to see how things pan out on this.  It will tell me how
>> seriously security is taken by the people driving ofbiz.
>>
>> Mike
>>
>>
>>
>> Ray Barlow wrote:
>>> As you say plenty of good points so rather than repeat lengthy arguments
>>> for or against I'll keep it simple and just say I don't think it should
>>> be described as a bug as it was implemented this way. Bad choice maybe
>>> but it's a feature change.
>>>
>>> Having said that I do think it should be seriously considered for the
>>> release branch because of it's small footprint and improvement on a very
>>> weak and insecure area.
>>>
>>> Ray
>>>
>>>
>>> Dan Shields wrote:
>>>> Thanks Jacques.   Is there any further action by me that might be
>>>> advised?   I was wondering because I was considering declaring a
>>>> referendum on the issue on the user list as per David Jones'
>>>> suggestion.
>>>>
>>>> Wow I guess that what we have here is "the absence of this new feature
>>>> is a bug".
>>>>
>>>> I must say, the dev-debate that it has inspired has been impressive!
>>>> There are good arguments both for viewing the patch as a bug, as well
>>>> as equally good arguments for viewing it as a feature.  It really
>>>> surprised me because up until that point in time (when I blindly
>>>> stumbled into this) my view was entirely to think about it as a bug
>>>> only.  The author of OFBIZ-1106 never knew the difference between
>>>> 'code that failed to hide the password' and 'the complete absence of
>>>> code that successfully hid the password', he just knew that the
>>>> software did not do 'as it should', and this was exactly my point of
>>>> view in devising a solution as well.  It requires a strong
>>>> metaphysical argument to even tell the difference between the points
>>>> of fact that might exist in the software that would reveal the actual
>>>> intent of the original design.  My feeling is that it was either
>>>> overlooked accidentally, or it was not convenient to declare the XUI
>>>> XPage in a manner that made sense to have both regular input and
>>>> password input in the same node of the tree but at different times
>>>> (this convenience is what I provided in the patch).
>>>>
>>>> As I said above I am willing to take this to the user list and invite
>>>> all users who run a release4.0 branch to submit an accept/reject vote,
>>>> as I think this feature/bug (or bug/feature) is important enough to
>>>> the success of release4.0 to warrant.
>>>>
>>>> I am happily sitting on the fence and content to let this issue go
>>>> either way.  I am finding it fascinating.
>>>>
>>>> Cheers all
>>>> Dan
>>>>
>>>>  
>>
>>
>
>

> Jonathon
>
> BJ Freeman wrote:
> > Lets remind everyone that there is a patch for the security.
> > it is available to anyone that wants to apply it.
> > I do this to my Ver 4.0 (not svn) on patches that have been done to the
> > trunk.
> > You can have access to all patches that are done to both the trunk and
> > the branch by subscribing to the Commit ML.
> >
> > so the security has been addressed.
> >
> > this is a discussion about applying such patches to a release branch. It
> > is applied to the trunk, so if you want to get the latests and greatest
> > including possible bugs that the additions may cause.
> > you can use the trunk for you purposes.
> >
> >
> > Michael Jensen sent the following on 11/15/2007 10:18 AM:
> >> Using that logic, you could say that almost any previous bugs were
> >> really "as-implemented" features and no changes should ever be made to
> >> the current release branch.
> >> If it was found somewhere in ofbiz that sensitive information was
> >> submitted over http instead of https, would that be considered a bug?
> >> Or would it be discounted as "well, it's a bad choice but that's how it
> >> was implemented"?
> >>
> >> I understand that the difficult thing about this is that the bug/feature
> >> line has to be drawn somewhere.  (I know where I'd draw it, especially
> >> on security related issues.)
> >>
> >> I'm curious to see how things pan out on this.  It will tell me how
> >> seriously security is taken by the people driving ofbiz.
> >>
> >> Mike
> >>
> >>
> >>
> >> Ray Barlow wrote:
> >>> As you say plenty of good points so rather than repeat lengthy arguments
> >>> for or against I'll keep it simple and just say I don't think it should
> >>> be described as a bug as it was implemented this way. Bad choice maybe
> >>> but it's a feature change.
> >>>
> >>> Having said that I do think it should be seriously considered for the
> >>> release branch because of it's small footprint and improvement on a very
> >>> weak and insecure area.
> >>>
> >>> Ray
> >>>
> >>>
> >>> Dan Shields wrote:
> >>>> Thanks Jacques.   Is there any further action by me that might be
> >>>> advised?   I was wondering because I was considering declaring a
> >>>> referendum on the issue on the user list as per David Jones'
> >>>> suggestion.
> >>>>
> >>>> Wow I guess that what we have here is "the absence of this new feature
> >>>> is a bug".
> >>>>
> >>>> I must say, the dev-debate that it has inspired has been impressive!
> >>>> There are good arguments both for viewing the patch as a bug, as well
> >>>> as equally good arguments for viewing it as a feature.  It really
> >>>> surprised me because up until that point in time (when I blindly
> >>>> stumbled into this) my view was entirely to think about it as a bug
> >>>> only.  The author of OFBIZ-1106 never knew the difference between
> >>>> 'code that failed to hide the password' and 'the complete absence of
> >>>> code that successfully hid the password', he just knew that the
> >>>> software did not do 'as it should', and this was exactly my point of
> >>>> view in devising a solution as well.  It requires a strong
> >>>> metaphysical argument to even tell the difference between the points
> >>>> of fact that might exist in the software that would reveal the actual
> >>>> intent of the original design.  My feeling is that it was either
> >>>> overlooked accidentally, or it was not convenient to declare the XUI
> >>>> XPage in a manner that made sense to have both regular input and
> >>>> password input in the same node of the tree but at different times
> >>>> (this convenience is what I provided in the patch).
> >>>>
> >>>> As I said above I am willing to take this to the user list and invite
> >>>> all users who run a release4.0 branch to submit an accept/reject vote,
> >>>> as I think this feature/bug (or bug/feature) is important enough to
> >>>> the success of release4.0 to warrant.
> >>>>
> >>>> I am happily sitting on the fence and content to let this issue go
> >>>> either way.  I am finding it fascinating.
> >>>>
> >>>> Cheers all
> >>>> Dan
> >>>>
> >>>>
> >>
> >>
> >
> >
>

> Using that logic, you could say that almost any previous bugs were
> really "as-implemented" features and no changes should ever be made to
> the current release branch.
> If it was found somewhere in ofbiz that sensitive information was
> submitted over http instead of https, would that be considered a bug?
> Or would it be discounted as "well, it's a bad choice but that's how  
> it
> was implemented"?
>
> I understand that the difficult thing about this is that the bug/
> feature
> line has to be drawn somewhere.  (I know where I'd draw it, especially
> on security related issues.)

> Ray Barlow wrote:
>> As you say plenty of good points so rather than repeat lengthy  
>> arguments
>> for or against I'll keep it simple and just say I don't think it  
>> should
>> be described as a bug as it was implemented this way. Bad choice  
>> maybe
>> but it's a feature change.
>>
>> Having said that I do think it should be seriously considered for the
>> release branch because of it's small footprint and improvement on a  
>> very
>> weak and insecure area.
>>
>> Ray
>>
>>
>> Dan Shields wrote:
>>> Thanks Jacques.   Is there any further action by me that might be
>>> advised?   I was wondering because I was considering declaring a
>>> referendum on the issue on the user list as per David Jones'
>>> suggestion.
>>>
>>> Wow I guess that what we have here is "the absence of this new  
>>> feature
>>> is a bug".
>>>
>>> I must say, the dev-debate that it has inspired has been impressive!
>>> There are good arguments both for viewing the patch as a bug, as  
>>> well
>>> as equally good arguments for viewing it as a feature.  It really
>>> surprised me because up until that point in time (when I blindly
>>> stumbled into this) my view was entirely to think about it as a bug
>>> only.  The author of OFBIZ-1106 never knew the difference between
>>> 'code that failed to hide the password' and 'the complete absence of
>>> code that successfully hid the password', he just knew that the
>>> software did not do 'as it should', and this was exactly my point of
>>> view in devising a solution as well.  It requires a strong
>>> metaphysical argument to even tell the difference between the points
>>> of fact that might exist in the software that would reveal the  
>>> actual
>>> intent of the original design.  My feeling is that it was either
>>> overlooked accidentally, or it was not convenient to declare the XUI
>>> XPage in a manner that made sense to have both regular input and
>>> password input in the same node of the tree but at different times
>>> (this convenience is what I provided in the patch).
>>>
>>> As I said above I am willing to take this to the user list and  
>>> invite
>>> all users who run a release4.0 branch to submit an accept/reject  
>>> vote,
>>> as I think this feature/bug (or bug/feature) is important enough to
>>> the success of release4.0 to warrant.
>>>
>>> I am happily sitting on the fence and content to let this issue go
>>> either way.  I am finding it fascinating.
>>>
>>> Cheers all
>>> Dan
>>>
>>>

> I had no idea the can of worms this would open up when I entered the issue.
>
> I come down on the side of wanting this patch in the release branch.
>
> Further, as there is no defined release date for 4.0, I would consider it
> still open for very high-priority issues that are not traditionally defined
> as "bugs".  Ofbiz customers, if they are using the release branch in
> production or close to production would probably do well to lag a bit and
> run with an older revision of the release branch.  Regressions can always be
> an issue, even with bug "fixes".
>
> Chris
>
> -----Original Message-----
> From: David E Jones [mailto:[hidden email]]
> Sent: Thursday, November 15, 2007 4:11 PM
> To: [hidden email]
> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
>
>
> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
>
> > Using that logic, you could say that almost any previous bugs were
> > really "as-implemented" features and no changes should ever be made to
> > the current release branch.
> > If it was found somewhere in ofbiz that sensitive information was
> > submitted over http instead of https, would that be considered a bug?
> > Or would it be discounted as "well, it's a bad choice but that's how  
> > it
> > was implemented"?
> >
> > I understand that the difficult thing about this is that the bug/
> > feature
> > line has to be drawn somewhere.  (I know where I'd draw it, especially
> > on security related issues.)
>
> It's really not that tough... As I described in depth in my previous  
> post in this thread there is no need to muddy the meaning of "bug".
>
> Maybe the word you are looking for is "issue"?
>
> This isn't a "bug" per-se, but certainly an "issue" and solving that  
> issue requires a new feature. That doesn't mean it can't go into the  
> release branch, but non-bug-fixes should be carefully considered  
> before being added.
>
> > I'm curious to see how things pan out on this.  It will tell me how
> > seriously security is taken by the people driving ofbiz.
>
> This is a common misconception. There are no "people driving ofbiz".
>
> OFBiz is a community-driven project and things happen when a user  
> needs something, implements it, and contributes it back to the  
> project. Even committers on OFBiz are just users who have a long  
> history of contributions and are invited to be committers to  
> facilitate further involvement.
>
> Security or not, things will only be fixed if someone cares enough.  
> The flip side of that is that if someone doesn't like how something is  
> in OFBiz and they don't do anything about it, they have only  
> themselves to blame, as uncomfortable and frighteningly empowering as  
> that may be. ;)
>
> -David
>
>
> > Ray Barlow wrote:
> >> As you say plenty of good points so rather than repeat lengthy  
> >> arguments
> >> for or against I'll keep it simple and just say I don't think it  
> >> should
> >> be described as a bug as it was implemented this way. Bad choice  
> >> maybe
> >> but it's a feature change.
> >>
> >> Having said that I do think it should be seriously considered for the
> >> release branch because of it's small footprint and improvement on a  
> >> very
> >> weak and insecure area.
> >>
> >> Ray
> >>
> >>
> >> Dan Shields wrote:
> >>> Thanks Jacques.   Is there any further action by me that might be
> >>> advised?   I was wondering because I was considering declaring a
> >>> referendum on the issue on the user list as per David Jones'
> >>> suggestion.
> >>>
> >>> Wow I guess that what we have here is "the absence of this new  
> >>> feature
> >>> is a bug".
> >>>
> >>> I must say, the dev-debate that it has inspired has been impressive!
> >>> There are good arguments both for viewing the patch as a bug, as  
> >>> well
> >>> as equally good arguments for viewing it as a feature.  It really
> >>> surprised me because up until that point in time (when I blindly
> >>> stumbled into this) my view was entirely to think about it as a bug
> >>> only.  The author of OFBIZ-1106 never knew the difference between
> >>> 'code that failed to hide the password' and 'the complete absence of
> >>> code that successfully hid the password', he just knew that the
> >>> software did not do 'as it should', and this was exactly my point of
> >>> view in devising a solution as well.  It requires a strong
> >>> metaphysical argument to even tell the difference between the points
> >>> of fact that might exist in the software that would reveal the  
> >>> actual
> >>> intent of the original design.  My feeling is that it was either
> >>> overlooked accidentally, or it was not convenient to declare the XUI
> >>> XPage in a manner that made sense to have both regular input and
> >>> password input in the same node of the tree but at different times
> >>> (this convenience is what I provided in the patch).
> >>>
> >>> As I said above I am willing to take this to the user list and  
> >>> invite
> >>> all users who run a release4.0 branch to submit an accept/reject  
> >>> vote,
> >>> as I think this feature/bug (or bug/feature) is important enough to
> >>> the success of release4.0 to warrant.
> >>>
> >>> I am happily sitting on the fence and content to let this issue go
> >>> either way.  I am finding it fascinating.
> >>>
> >>> Cheers all
> >>> Dan
> >>>
> >>>
>
>

>
> Finally, have we an idea about what to do :o)
>
> Do we need a vote for this ?
> Maybe a generalisation for "security" case as features to back port in any
> case ?
> Create release4.0 (and later when they will come) branches as proposed by
> Jonathon ?
>
> Jacques
>
> De : "clearchris" <[hidden email]>
> > I had no idea the can of worms this would open up when I entered the
> issue.
> >
> > I come down on the side of wanting this patch in the release branch.
> >
> > Further, as there is no defined release date for 4.0, I would consider
> it
> > still open for very high-priority issues that are not traditionally
> defined
> > as "bugs".  Ofbiz customers, if they are using the release branch in
> > production or close to production would probably do well to lag a bit
> and
> > run with an older revision of the release branch.  Regressions can
> always be
> > an issue, even with bug "fixes".
> >
> > Chris
> >
> > -----Original Message-----
> > From: David E Jones [mailto:[hidden email]]
> > Sent: Thursday, November 15, 2007 4:11 PM
> > To: [hidden email]
> > Subject: Re: release4.0: OFBIZ-1106 (in or out?)
> >
> >
> > On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
> >
> > > Using that logic, you could say that almost any previous bugs were
> > > really "as-implemented" features and no changes should ever be made to
> > > the current release branch.
> > > If it was found somewhere in ofbiz that sensitive information was
> > > submitted over http instead of https, would that be considered a bug?
> > > Or would it be discounted as "well, it's a bad choice but that's how
> > > it
> > > was implemented"?
> > >
> > > I understand that the difficult thing about this is that the bug/
> > > feature
> > > line has to be drawn somewhere.  (I know where I'd draw it, especially
> > > on security related issues.)
> >
> > It's really not that tough... As I described in depth in my previous
> > post in this thread there is no need to muddy the meaning of "bug".
> >
> > Maybe the word you are looking for is "issue"?
> >
> > This isn't a "bug" per-se, but certainly an "issue" and solving that
> > issue requires a new feature. That doesn't mean it can't go into the
> > release branch, but non-bug-fixes should be carefully considered
> > before being added.
> >
> > > I'm curious to see how things pan out on this.  It will tell me how
> > > seriously security is taken by the people driving ofbiz.
> >
> > This is a common misconception. There are no "people driving ofbiz".
> >
> > OFBiz is a community-driven project and things happen when a user
> > needs something, implements it, and contributes it back to the
> > project. Even committers on OFBiz are just users who have a long
> > history of contributions and are invited to be committers to
> > facilitate further involvement.
> >
> > Security or not, things will only be fixed if someone cares enough.
> > The flip side of that is that if someone doesn't like how something is
> > in OFBiz and they don't do anything about it, they have only
> > themselves to blame, as uncomfortable and frighteningly empowering as
> > that may be. ;)
> >
> > -David
> >
> >
> > > Ray Barlow wrote:
> > >> As you say plenty of good points so rather than repeat lengthy
> > >> arguments
> > >> for or against I'll keep it simple and just say I don't think it
> > >> should
> > >> be described as a bug as it was implemented this way. Bad choice
> > >> maybe
> > >> but it's a feature change.
> > >>
> > >> Having said that I do think it should be seriously considered for the
> > >> release branch because of it's small footprint and improvement on a
> > >> very
> > >> weak and insecure area.
> > >>
> > >> Ray
> > >>
> > >>
> > >> Dan Shields wrote:
> > >>> Thanks Jacques.   Is there any further action by me that might be
> > >>> advised?   I was wondering because I was considering declaring a
> > >>> referendum on the issue on the user list as per David Jones'
> > >>> suggestion.
> > >>>
> > >>> Wow I guess that what we have here is "the absence of this new
> > >>> feature
> > >>> is a bug".
> > >>>
> > >>> I must say, the dev-debate that it has inspired has been impressive!
> > >>> There are good arguments both for viewing the patch as a bug, as
> > >>> well
> > >>> as equally good arguments for viewing it as a feature.  It really
> > >>> surprised me because up until that point in time (when I blindly
> > >>> stumbled into this) my view was entirely to think about it as a bug
> > >>> only.  The author of OFBIZ-1106 never knew the difference between
> > >>> 'code that failed to hide the password' and 'the complete absence of
> > >>> code that successfully hid the password', he just knew that the
> > >>> software did not do 'as it should', and this was exactly my point of
> > >>> view in devising a solution as well.  It requires a strong
> > >>> metaphysical argument to even tell the difference between the points
> > >>> of fact that might exist in the software that would reveal the
> > >>> actual
> > >>> intent of the original design.  My feeling is that it was either
> > >>> overlooked accidentally, or it was not convenient to declare the XUI
> > >>> XPage in a manner that made sense to have both regular input and
> > >>> password input in the same node of the tree but at different times
> > >>> (this convenience is what I provided in the patch).
> > >>>
> > >>> As I said above I am willing to take this to the user list and
> > >>> invite
> > >>> all users who run a release4.0 branch to submit an accept/reject
> > >>> vote,
> > >>> as I think this feature/bug (or bug/feature) is important enough to
> > >>> the success of release4.0 to warrant.
> > >>>
> > >>> I am happily sitting on the fence and content to let this issue go
> > >>> either way.  I am finding it fascinating.
> > >>>
> > >>> Cheers all
> > >>> Dan
> > >>>
> > >>>
> >
> >
>

> Finally, have we an idea about what to do :o)
>
> Do we need a vote for this ?
> Maybe a generalisation for "security" case as features to back port in any case ?
> Create release4.0 (and later when they will come) branches as proposed by Jonathon ?
>
> Jacques
>
> De : "clearchris" <[hidden email]>
>> I had no idea the can of worms this would open up when I entered the issue.
>>
>> I come down on the side of wanting this patch in the release branch.
>>
>> Further, as there is no defined release date for 4.0, I would consider it
>> still open for very high-priority issues that are not traditionally defined
>> as "bugs".  Ofbiz customers, if they are using the release branch in
>> production or close to production would probably do well to lag a bit and
>> run with an older revision of the release branch.  Regressions can always be
>> an issue, even with bug "fixes".
>>
>> Chris
>>
>> -----Original Message-----
>> From: David E Jones [mailto:[hidden email]]
>> Sent: Thursday, November 15, 2007 4:11 PM
>> To: [hidden email]
>> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
>>
>>
>> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
>>
>>> Using that logic, you could say that almost any previous bugs were
>>> really "as-implemented" features and no changes should ever be made to
>>> the current release branch.
>>> If it was found somewhere in ofbiz that sensitive information was
>>> submitted over http instead of https, would that be considered a bug?
>>> Or would it be discounted as "well, it's a bad choice but that's how  
>>> it
>>> was implemented"?
>>>
>>> I understand that the difficult thing about this is that the bug/
>>> feature
>>> line has to be drawn somewhere.  (I know where I'd draw it, especially
>>> on security related issues.)
>> It's really not that tough... As I described in depth in my previous  
>> post in this thread there is no need to muddy the meaning of "bug".
>>
>> Maybe the word you are looking for is "issue"?
>>
>> This isn't a "bug" per-se, but certainly an "issue" and solving that  
>> issue requires a new feature. That doesn't mean it can't go into the  
>> release branch, but non-bug-fixes should be carefully considered  
>> before being added.
>>
>>> I'm curious to see how things pan out on this.  It will tell me how
>>> seriously security is taken by the people driving ofbiz.
>> This is a common misconception. There are no "people driving ofbiz".
>>
>> OFBiz is a community-driven project and things happen when a user  
>> needs something, implements it, and contributes it back to the  
>> project. Even committers on OFBiz are just users who have a long  
>> history of contributions and are invited to be committers to  
>> facilitate further involvement.
>>
>> Security or not, things will only be fixed if someone cares enough.  
>> The flip side of that is that if someone doesn't like how something is  
>> in OFBiz and they don't do anything about it, they have only  
>> themselves to blame, as uncomfortable and frighteningly empowering as  
>> that may be. ;)
>>
>> -David
>>
>>
>>> Ray Barlow wrote:
>>>> As you say plenty of good points so rather than repeat lengthy  
>>>> arguments
>>>> for or against I'll keep it simple and just say I don't think it  
>>>> should
>>>> be described as a bug as it was implemented this way. Bad choice  
>>>> maybe
>>>> but it's a feature change.
>>>>
>>>> Having said that I do think it should be seriously considered for the
>>>> release branch because of it's small footprint and improvement on a  
>>>> very
>>>> weak and insecure area.
>>>>
>>>> Ray
>>>>
>>>>
>>>> Dan Shields wrote:
>>>>> Thanks Jacques.   Is there any further action by me that might be
>>>>> advised?   I was wondering because I was considering declaring a
>>>>> referendum on the issue on the user list as per David Jones'
>>>>> suggestion.
>>>>>
>>>>> Wow I guess that what we have here is "the absence of this new  
>>>>> feature
>>>>> is a bug".
>>>>>
>>>>> I must say, the dev-debate that it has inspired has been impressive!
>>>>> There are good arguments both for viewing the patch as a bug, as  
>>>>> well
>>>>> as equally good arguments for viewing it as a feature.  It really
>>>>> surprised me because up until that point in time (when I blindly
>>>>> stumbled into this) my view was entirely to think about it as a bug
>>>>> only.  The author of OFBIZ-1106 never knew the difference between
>>>>> 'code that failed to hide the password' and 'the complete absence of
>>>>> code that successfully hid the password', he just knew that the
>>>>> software did not do 'as it should', and this was exactly my point of
>>>>> view in devising a solution as well.  It requires a strong
>>>>> metaphysical argument to even tell the difference between the points
>>>>> of fact that might exist in the software that would reveal the  
>>>>> actual
>>>>> intent of the original design.  My feeling is that it was either
>>>>> overlooked accidentally, or it was not convenient to declare the XUI
>>>>> XPage in a manner that made sense to have both regular input and
>>>>> password input in the same node of the tree but at different times
>>>>> (this convenience is what I provided in the patch).
>>>>>
>>>>> As I said above I am willing to take this to the user list and  
>>>>> invite
>>>>> all users who run a release4.0 branch to submit an accept/reject  
>>>>> vote,
>>>>> as I think this feature/bug (or bug/feature) is important enough to
>>>>> the success of release4.0 to warrant.
>>>>>
>>>>> I am happily sitting on the fence and content to let this issue go
>>>>> either way.  I am finding it fascinating.
>>>>>
>>>>> Cheers all
>>>>> Dan
>>>>>
>>>>>
>>
>
>

> Well, clearchris has a point. Is there a defined release date for 4.0?
>
> It depends on the management's view of OFBiz 4.0. If it is considered
> alpha, go on ahead and insert any amount of enhancements into it. But if
> it is considered beta, it would be good to be strict about things, and
> pop in only bug fixes.
>
> The question to ask is whether management intends for OFBiz 4.0 to be
> frozen or not. Is it released/published already or not? If it is
> considered already published, I'd really like to see further
> enhancements in OFBiz 4.1. From a psychological perspective, it's
> exciting to see OFBiz 4.1, rather than see OFBiz 4.0 improve
> tremendously "behind-the-scenes" over one long year.
>
> Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10
> months ago, but the 4.0 then is a far cry from the 4.0 now!". It'd be
> easier saying: "Boss, we now have OFBiz 4.4. Here are the list of
> improvements over 4.0.".
>
> Then some folks may say that OFBiz 4.0 as it is now is unusable, that no
> one in right mind will use 4.0 given the horrible security issue
> outstanding. What then? I say, we let 4.0 die. Time to move on! 4.0 was
> published, management should stick to that decision. Roll out the next
> version!
>
> Now on to technical considerations. SVN branches are "hotlinked", ie
> branching 4.1 from 4.0 only creates a cheap reference to 4.0, not an
> entire copy of 4.0. Any changes to 4.1 will then take up further
> harddisk space, so only deltas above 4.0 are stored on disk. There will
> still be only *one* copy of the entire 4.0 code.
>
> Now we question whether there'll be tons of confusion if we roll out a
> whole army of the 4.x family. The crucial thing we *must* do is to make
> sure the 4.x family are fully compatible with one another such that
> upgrading/downgrading along the family line requires zero migration
> effort. Also, make sure that any bug fixes can be *uniformly* applied
> across the whole family. What that also means is any enhancements that
> are too radical and that may break above requirement cannot be put into
> the 4.x family.
>
> So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A
> non-techie person can say "I found the bug in 4.0". So he didn't have
> time to upgrade to 4.1, or maybe 4.1 is an unlucky number for him. Then
> the response we give him? "Sir, have you gotten the latest updates for
> 4.0"? He either says "no" and he updates and retest, or he says "yes"
> and we hunt for the bug in that *specific release version that is 4.0*!
> Or if we want to, we could say that "4.0 is dead, please use 4.2".
>
> In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all
> sorts of enhancements as long as they don't break backward-compatibility
> with 4.0. OFBiz 4.0 continues beta, until such time that it is
> super-bugfree. We'll have a series of 4.x members, with the earlier ones
> getting more stable than the later ones (later ones take in risky new
> enhancements). How will that happen? Anyone finding a bug in the latest
> 4.x member can also apply the similar bug fix to 4.0 (or 4.y where y <
> x). The bug fixes cascade down to earlier 4.x members, making them more
> stable over time, even as the community tests only the newest 4.x member.
>
> Throughout the whole 4.x lineage, no extra harddisk space is taken up.
> SVN makes cheap "copies". Only deltas are stored.
>
> Is that clearly explained? Or did I just confuse version control with
> cake-baking?
>
> Jonathon
>
> Jacques Le Roux wrote:
>> Finally, have we an idea about what to do :o)
>>
>> Do we need a vote for this ? Maybe a generalisation for "security"
>> case as features to back port in any case ?
>> Create release4.0 (and later when they will come) branches as proposed
>> by Jonathon ?
>>
>> Jacques
>>
>> De : "clearchris" <[hidden email]>
>>> I had no idea the can of worms this would open up when I entered the
>>> issue.
>>>
>>> I come down on the side of wanting this patch in the release branch.
>>>
>>> Further, as there is no defined release date for 4.0, I would
>>> consider it
>>> still open for very high-priority issues that are not traditionally
>>> defined
>>> as "bugs".  Ofbiz customers, if they are using the release branch in
>>> production or close to production would probably do well to lag a bit
>>> and
>>> run with an older revision of the release branch.  Regressions can
>>> always be
>>> an issue, even with bug "fixes".
>>>
>>> Chris
>>>
>>> -----Original Message-----
>>> From: David E Jones [mailto:[hidden email]] Sent: Thursday,
>>> November 15, 2007 4:11 PM
>>> To: [hidden email]
>>> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
>>>
>>>
>>> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
>>>
>>>> Using that logic, you could say that almost any previous bugs were
>>>> really "as-implemented" features and no changes should ever be made to
>>>> the current release branch.
>>>> If it was found somewhere in ofbiz that sensitive information was
>>>> submitted over http instead of https, would that be considered a bug?
>>>> Or would it be discounted as "well, it's a bad choice but that's
>>>> how  it
>>>> was implemented"?
>>>>
>>>> I understand that the difficult thing about this is that the bug/
>>>> feature
>>>> line has to be drawn somewhere.  (I know where I'd draw it, especially
>>>> on security related issues.)
>>> It's really not that tough... As I described in depth in my previous
>>> post in this thread there is no need to muddy the meaning of "bug".
>>>
>>> Maybe the word you are looking for is "issue"?
>>>
>>> This isn't a "bug" per-se, but certainly an "issue" and solving that
>>> issue requires a new feature. That doesn't mean it can't go into the
>>> release branch, but non-bug-fixes should be carefully considered
>>> before being added.
>>>
>>>> I'm curious to see how things pan out on this.  It will tell me how
>>>> seriously security is taken by the people driving ofbiz.
>>> This is a common misconception. There are no "people driving ofbiz".
>>>
>>> OFBiz is a community-driven project and things happen when a user
>>> needs something, implements it, and contributes it back to the
>>> project. Even committers on OFBiz are just users who have a long
>>> history of contributions and are invited to be committers to
>>> facilitate further involvement.
>>>
>>> Security or not, things will only be fixed if someone cares enough.
>>> The flip side of that is that if someone doesn't like how something
>>> is  in OFBiz and they don't do anything about it, they have only
>>> themselves to blame, as uncomfortable and frighteningly empowering
>>> as  that may be. ;)
>>>
>>> -David
>>>
>>>
>>>> Ray Barlow wrote:
>>>>> As you say plenty of good points so rather than repeat lengthy
>>>>> arguments
>>>>> for or against I'll keep it simple and just say I don't think it
>>>>> should
>>>>> be described as a bug as it was implemented this way. Bad choice
>>>>> maybe
>>>>> but it's a feature change.
>>>>>
>>>>> Having said that I do think it should be seriously considered for the
>>>>> release branch because of it's small footprint and improvement on
>>>>> a  very
>>>>> weak and insecure area.
>>>>>
>>>>> Ray
>>>>>
>>>>>
>>>>> Dan Shields wrote:
>>>>>> Thanks Jacques.   Is there any further action by me that might be
>>>>>> advised?   I was wondering because I was considering declaring a
>>>>>> referendum on the issue on the user list as per David Jones'
>>>>>> suggestion.
>>>>>>
>>>>>> Wow I guess that what we have here is "the absence of this new
>>>>>> feature
>>>>>> is a bug".
>>>>>>
>>>>>> I must say, the dev-debate that it has inspired has been impressive!
>>>>>> There are good arguments both for viewing the patch as a bug, as
>>>>>> well
>>>>>> as equally good arguments for viewing it as a feature.  It really
>>>>>> surprised me because up until that point in time (when I blindly
>>>>>> stumbled into this) my view was entirely to think about it as a bug
>>>>>> only.  The author of OFBIZ-1106 never knew the difference between
>>>>>> 'code that failed to hide the password' and 'the complete absence of
>>>>>> code that successfully hid the password', he just knew that the
>>>>>> software did not do 'as it should', and this was exactly my point of
>>>>>> view in devising a solution as well.  It requires a strong
>>>>>> metaphysical argument to even tell the difference between the points
>>>>>> of fact that might exist in the software that would reveal the
>>>>>> actual
>>>>>> intent of the original design.  My feeling is that it was either
>>>>>> overlooked accidentally, or it was not convenient to declare the XUI
>>>>>> XPage in a manner that made sense to have both regular input and
>>>>>> password input in the same node of the tree but at different times
>>>>>> (this convenience is what I provided in the patch).
>>>>>>
>>>>>> As I said above I am willing to take this to the user list and
>>>>>> invite
>>>>>> all users who run a release4.0 branch to submit an accept/reject
>>>>>> vote,
>>>>>> as I think this feature/bug (or bug/feature) is important enough to
>>>>>> the success of release4.0 to warrant.
>>>>>>
>>>>>> I am happily sitting on the fence and content to let this issue go
>>>>>> either way.  I am finding it fascinating.
>>>>>>
>>>>>> Cheers all
>>>>>> Dan
>>>>>>
>>>>>>
>>>
>>
>>
>
>
>
>

>
> about a month ago david ask the community for feed back on those that
> have 4.0 in production.
> I have not see that much feed back about it so apparently there are not
> that many using it in production.
> I believe once more report that they are using 4.0 in production and are
> not running into problems that would the be point to freeze it and
> release.
>
>
>
> Jonathon -- Improov sent the following on 11/16/2007 7:18 PM:
> > Well, clearchris has a point. Is there a defined release date for 4.0?
> >
> > It depends on the management's view of OFBiz 4.0. If it is considered
> > alpha, go on ahead and insert any amount of enhancements into it. But if
> > it is considered beta, it would be good to be strict about things, and
> > pop in only bug fixes.
> >
> > The question to ask is whether management intends for OFBiz 4.0 to be
> > frozen or not. Is it released/published already or not? If it is
> > considered already published, I'd really like to see further
> > enhancements in OFBiz 4.1. From a psychological perspective, it's
> > exciting to see OFBiz 4.1, rather than see OFBiz 4.0 improve
> > tremendously "behind-the-scenes" over one long year.
> >
> > Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10
> > months ago, but the 4.0 then is a far cry from the 4.0 now!". It'd be
> > easier saying: "Boss, we now have OFBiz 4.4. Here are the list of
> > improvements over 4.0.".
> >
> > Then some folks may say that OFBiz 4.0 as it is now is unusable, that no
> > one in right mind will use 4.0 given the horrible security issue
> > outstanding. What then? I say, we let 4.0 die. Time to move on! 4.0 was
> > published, management should stick to that decision. Roll out the next
> > version!
> >
> > Now on to technical considerations. SVN branches are "hotlinked", ie
> > branching 4.1 from 4.0 only creates a cheap reference to 4.0, not an
> > entire copy of 4.0. Any changes to 4.1 will then take up further
> > harddisk space, so only deltas above 4.0 are stored on disk. There will
> > still be only *one* copy of the entire 4.0 code.
> >
> > Now we question whether there'll be tons of confusion if we roll out a
> > whole army of the 4.x family. The crucial thing we *must* do is to make
> > sure the 4.x family are fully compatible with one another such that
> > upgrading/downgrading along the family line requires zero migration
> > effort. Also, make sure that any bug fixes can be *uniformly* applied
> > across the whole family. What that also means is any enhancements that
> > are too radical and that may break above requirement cannot be put into
> > the 4.x family.
> >
> > So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A
> > non-techie person can say "I found the bug in 4.0". So he didn't have
> > time to upgrade to 4.1, or maybe 4.1 is an unlucky number for him. Then
> > the response we give him? "Sir, have you gotten the latest updates for
> > 4.0"? He either says "no" and he updates and retest, or he says "yes"
> > and we hunt for the bug in that *specific release version that is 4.0*!
> > Or if we want to, we could say that "4.0 is dead, please use 4.2".
> >
> > In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all
> > sorts of enhancements as long as they don't break backward-compatibility
> > with 4.0. OFBiz 4.0 continues beta, until such time that it is
> > super-bugfree. We'll have a series of 4.x members, with the earlier ones
> > getting more stable than the later ones (later ones take in risky new
> > enhancements). How will that happen? Anyone finding a bug in the latest
> > 4.x member can also apply the similar bug fix to 4.0 (or 4.y where y <
> > x). The bug fixes cascade down to earlier 4.x members, making them more
> > stable over time, even as the community tests only the newest 4.xmember.
> >
> > Throughout the whole 4.x lineage, no extra harddisk space is taken up.
> > SVN makes cheap "copies". Only deltas are stored.
> >
> > Is that clearly explained? Or did I just confuse version control with
> > cake-baking?
> >
> > Jonathon
> >
> > Jacques Le Roux wrote:
> >> Finally, have we an idea about what to do :o)
> >>
> >> Do we need a vote for this ? Maybe a generalisation for "security"
> >> case as features to back port in any case ?
> >> Create release4.0 (and later when they will come) branches as proposed
> >> by Jonathon ?
> >>
> >> Jacques
> >>
> >> De : "clearchris" <[hidden email]>
> >>> I had no idea the can of worms this would open up when I entered the
> >>> issue.
> >>>
> >>> I come down on the side of wanting this patch in the release branch.
> >>>
> >>> Further, as there is no defined release date for 4.0, I would
> >>> consider it
> >>> still open for very high-priority issues that are not traditionally
> >>> defined
> >>> as "bugs".  Ofbiz customers, if they are using the release branch in
> >>> production or close to production would probably do well to lag a bit
> >>> and
> >>> run with an older revision of the release branch.  Regressions can
> >>> always be
> >>> an issue, even with bug "fixes".
> >>>
> >>> Chris
> >>>
> >>> -----Original Message-----
> >>> From: David E Jones [mailto:[hidden email]] Sent: Thursday,
> >>> November 15, 2007 4:11 PM
> >>> To: [hidden email]
> >>> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
> >>>
> >>>
> >>> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
> >>>
> >>>> Using that logic, you could say that almost any previous bugs were
> >>>> really "as-implemented" features and no changes should ever be made
> to
> >>>> the current release branch.
> >>>> If it was found somewhere in ofbiz that sensitive information was
> >>>> submitted over http instead of https, would that be considered a bug?
> >>>> Or would it be discounted as "well, it's a bad choice but that's
> >>>> how  it
> >>>> was implemented"?
> >>>>
> >>>> I understand that the difficult thing about this is that the bug/
> >>>> feature
> >>>> line has to be drawn somewhere.  (I know where I'd draw it,
> especially
> >>>> on security related issues.)
> >>> It's really not that tough... As I described in depth in my previous
> >>> post in this thread there is no need to muddy the meaning of "bug".
> >>>
> >>> Maybe the word you are looking for is "issue"?
> >>>
> >>> This isn't a "bug" per-se, but certainly an "issue" and solving that
> >>> issue requires a new feature. That doesn't mean it can't go into the
> >>> release branch, but non-bug-fixes should be carefully considered
> >>> before being added.
> >>>
> >>>> I'm curious to see how things pan out on this.  It will tell me how
> >>>> seriously security is taken by the people driving ofbiz.
> >>> This is a common misconception. There are no "people driving ofbiz".
> >>>
> >>> OFBiz is a community-driven project and things happen when a user
> >>> needs something, implements it, and contributes it back to the
> >>> project. Even committers on OFBiz are just users who have a long
> >>> history of contributions and are invited to be committers to
> >>> facilitate further involvement.
> >>>
> >>> Security or not, things will only be fixed if someone cares enough.
> >>> The flip side of that is that if someone doesn't like how something
> >>> is  in OFBiz and they don't do anything about it, they have only
> >>> themselves to blame, as uncomfortable and frighteningly empowering
> >>> as  that may be. ;)
> >>>
> >>> -David
> >>>
> >>>
> >>>> Ray Barlow wrote:
> >>>>> As you say plenty of good points so rather than repeat lengthy
> >>>>> arguments
> >>>>> for or against I'll keep it simple and just say I don't think it
> >>>>> should
> >>>>> be described as a bug as it was implemented this way. Bad choice
> >>>>> maybe
> >>>>> but it's a feature change.
> >>>>>
> >>>>> Having said that I do think it should be seriously considered for
> the
> >>>>> release branch because of it's small footprint and improvement on
> >>>>> a  very
> >>>>> weak and insecure area.
> >>>>>
> >>>>> Ray
> >>>>>
> >>>>>
> >>>>> Dan Shields wrote:
> >>>>>> Thanks Jacques.   Is there any further action by me that might be
> >>>>>> advised?   I was wondering because I was considering declaring a
> >>>>>> referendum on the issue on the user list as per David Jones'
> >>>>>> suggestion.
> >>>>>>
> >>>>>> Wow I guess that what we have here is "the absence of this new
> >>>>>> feature
> >>>>>> is a bug".
> >>>>>>
> >>>>>> I must say, the dev-debate that it has inspired has been
> impressive!
> >>>>>> There are good arguments both for viewing the patch as a bug, as
> >>>>>> well
> >>>>>> as equally good arguments for viewing it as a feature.  It really
> >>>>>> surprised me because up until that point in time (when I blindly
> >>>>>> stumbled into this) my view was entirely to think about it as a bug
> >>>>>> only.  The author of OFBIZ-1106 never knew the difference between
> >>>>>> 'code that failed to hide the password' and 'the complete absence
> of
> >>>>>> code that successfully hid the password', he just knew that the
> >>>>>> software did not do 'as it should', and this was exactly my point
> of
> >>>>>> view in devising a solution as well.  It requires a strong
> >>>>>> metaphysical argument to even tell the difference between the
> points
> >>>>>> of fact that might exist in the software that would reveal the
> >>>>>> actual
> >>>>>> intent of the original design.  My feeling is that it was either
> >>>>>> overlooked accidentally, or it was not convenient to declare the
> XUI
> >>>>>> XPage in a manner that made sense to have both regular input and
> >>>>>> password input in the same node of the tree but at different times
> >>>>>> (this convenience is what I provided in the patch).
> >>>>>>
> >>>>>> As I said above I am willing to take this to the user list and
> >>>>>> invite
> >>>>>> all users who run a release4.0 branch to submit an accept/reject
> >>>>>> vote,
> >>>>>> as I think this feature/bug (or bug/feature) is important enough to
> >>>>>> the success of release4.0 to warrant.
> >>>>>>
> >>>>>> I am happily sitting on the fence and content to let this issue go
> >>>>>> either way.  I am finding it fascinating.
> >>>>>>
> >>>>>> Cheers all
> >>>>>> Dan
> >>>>>>
> >>>>>>
> >>>
> >>
> >>
> >
> >
> >
> >
>

> Exactly right BJ, for releases to move faster the community needs to move
> faster.  The committers have put a lot more time into contributing to the
> release (mostly via back patching) than the rest of the community and IMO
> that is the reverse of how it should be.  No matter what the release plan
> ends up looking like, if the community doesn't support the release via
> extensive use, testing and bug reports (with fixes!) then it will always
> move more like the tortoise than the hare.
>
> Regards
> Scott
>
> On 17/11/2007, BJ Freeman <[hidden email]> wrote:
>> about a month ago david ask the community for feed back on those that
>> have 4.0 in production.
>> I have not see that much feed back about it so apparently there are not
>> that many using it in production.
>> I believe once more report that they are using 4.0 in production and are
>> not running into problems that would the be point to freeze it and
>> release.
>>
>>
>>
>> Jonathon -- Improov sent the following on 11/16/2007 7:18 PM:
>>> Well, clearchris has a point. Is there a defined release date for 4.0?
>>>
>>> It depends on the management's view of OFBiz 4.0. If it is considered
>>> alpha, go on ahead and insert any amount of enhancements into it. But if
>>> it is considered beta, it would be good to be strict about things, and
>>> pop in only bug fixes.
>>>
>>> The question to ask is whether management intends for OFBiz 4.0 to be
>>> frozen or not. Is it released/published already or not? If it is
>>> considered already published, I'd really like to see further
>>> enhancements in OFBiz 4.1. From a psychological perspective, it's
>>> exciting to see OFBiz 4.1, rather than see OFBiz 4.0 improve
>>> tremendously "behind-the-scenes" over one long year.
>>>
>>> Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10
>>> months ago, but the 4.0 then is a far cry from the 4.0 now!". It'd be
>>> easier saying: "Boss, we now have OFBiz 4.4. Here are the list of
>>> improvements over 4.0.".
>>>
>>> Then some folks may say that OFBiz 4.0 as it is now is unusable, that no
>>> one in right mind will use 4.0 given the horrible security issue
>>> outstanding. What then? I say, we let 4.0 die. Time to move on! 4.0 was
>>> published, management should stick to that decision. Roll out the next
>>> version!
>>>
>>> Now on to technical considerations. SVN branches are "hotlinked", ie
>>> branching 4.1 from 4.0 only creates a cheap reference to 4.0, not an
>>> entire copy of 4.0. Any changes to 4.1 will then take up further
>>> harddisk space, so only deltas above 4.0 are stored on disk. There will
>>> still be only *one* copy of the entire 4.0 code.
>>>
>>> Now we question whether there'll be tons of confusion if we roll out a
>>> whole army of the 4.x family. The crucial thing we *must* do is to make
>>> sure the 4.x family are fully compatible with one another such that
>>> upgrading/downgrading along the family line requires zero migration
>>> effort. Also, make sure that any bug fixes can be *uniformly* applied
>>> across the whole family. What that also means is any enhancements that
>>> are too radical and that may break above requirement cannot be put into
>>> the 4.x family.
>>>
>>> So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A
>>> non-techie person can say "I found the bug in 4.0". So he didn't have
>>> time to upgrade to 4.1, or maybe 4.1 is an unlucky number for him. Then
>>> the response we give him? "Sir, have you gotten the latest updates for
>>> 4.0"? He either says "no" and he updates and retest, or he says "yes"
>>> and we hunt for the bug in that *specific release version that is 4.0*!
>>> Or if we want to, we could say that "4.0 is dead, please use 4.2".
>>>
>>> In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all
>>> sorts of enhancements as long as they don't break backward-compatibility
>>> with 4.0. OFBiz 4.0 continues beta, until such time that it is
>>> super-bugfree. We'll have a series of 4.x members, with the earlier ones
>>> getting more stable than the later ones (later ones take in risky new
>>> enhancements). How will that happen? Anyone finding a bug in the latest
>>> 4.x member can also apply the similar bug fix to 4.0 (or 4.y where y <
>>> x). The bug fixes cascade down to earlier 4.x members, making them more
>>> stable over time, even as the community tests only the newest 4.xmember.
>>>
>>> Throughout the whole 4.x lineage, no extra harddisk space is taken up.
>>> SVN makes cheap "copies". Only deltas are stored.
>>>
>>> Is that clearly explained? Or did I just confuse version control with
>>> cake-baking?
>>>
>>> Jonathon
>>>
>>> Jacques Le Roux wrote:
>>>> Finally, have we an idea about what to do :o)
>>>>
>>>> Do we need a vote for this ? Maybe a generalisation for "security"
>>>> case as features to back port in any case ?
>>>> Create release4.0 (and later when they will come) branches as proposed
>>>> by Jonathon ?
>>>>
>>>> Jacques
>>>>
>>>> De : "clearchris" <[hidden email]>
>>>>> I had no idea the can of worms this would open up when I entered the
>>>>> issue.
>>>>>
>>>>> I come down on the side of wanting this patch in the release branch.
>>>>>
>>>>> Further, as there is no defined release date for 4.0, I would
>>>>> consider it
>>>>> still open for very high-priority issues that are not traditionally
>>>>> defined
>>>>> as "bugs".  Ofbiz customers, if they are using the release branch in
>>>>> production or close to production would probably do well to lag a bit
>>>>> and
>>>>> run with an older revision of the release branch.  Regressions can
>>>>> always be
>>>>> an issue, even with bug "fixes".
>>>>>
>>>>> Chris
>>>>>
>>>>> -----Original Message-----
>>>>> From: David E Jones [mailto:[hidden email]] Sent: Thursday,
>>>>> November 15, 2007 4:11 PM
>>>>> To: [hidden email]
>>>>> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
>>>>>
>>>>>
>>>>> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
>>>>>
>>>>>> Using that logic, you could say that almost any previous bugs were
>>>>>> really "as-implemented" features and no changes should ever be made
>> to
>>>>>> the current release branch.
>>>>>> If it was found somewhere in ofbiz that sensitive information was
>>>>>> submitted over http instead of https, would that be considered a bug?
>>>>>> Or would it be discounted as "well, it's a bad choice but that's
>>>>>> how  it
>>>>>> was implemented"?
>>>>>>
>>>>>> I understand that the difficult thing about this is that the bug/
>>>>>> feature
>>>>>> line has to be drawn somewhere.  (I know where I'd draw it,
>> especially
>>>>>> on security related issues.)
>>>>> It's really not that tough... As I described in depth in my previous
>>>>> post in this thread there is no need to muddy the meaning of "bug".
>>>>>
>>>>> Maybe the word you are looking for is "issue"?
>>>>>
>>>>> This isn't a "bug" per-se, but certainly an "issue" and solving that
>>>>> issue requires a new feature. That doesn't mean it can't go into the
>>>>> release branch, but non-bug-fixes should be carefully considered
>>>>> before being added.
>>>>>
>>>>>> I'm curious to see how things pan out on this.  It will tell me how
>>>>>> seriously security is taken by the people driving ofbiz.
>>>>> This is a common misconception. There are no "people driving ofbiz".
>>>>>
>>>>> OFBiz is a community-driven project and things happen when a user
>>>>> needs something, implements it, and contributes it back to the
>>>>> project. Even committers on OFBiz are just users who have a long
>>>>> history of contributions and are invited to be committers to
>>>>> facilitate further involvement.
>>>>>
>>>>> Security or not, things will only be fixed if someone cares enough.
>>>>> The flip side of that is that if someone doesn't like how something
>>>>> is  in OFBiz and they don't do anything about it, they have only
>>>>> themselves to blame, as uncomfortable and frighteningly empowering
>>>>> as  that may be. ;)
>>>>>
>>>>> -David
>>>>>
>>>>>
>>>>>> Ray Barlow wrote:
>>>>>>> As you say plenty of good points so rather than repeat lengthy
>>>>>>> arguments
>>>>>>> for or against I'll keep it simple and just say I don't think it
>>>>>>> should
>>>>>>> be described as a bug as it was implemented this way. Bad choice
>>>>>>> maybe
>>>>>>> but it's a feature change.
>>>>>>>
>>>>>>> Having said that I do think it should be seriously considered for
>> the
>>>>>>> release branch because of it's small footprint and improvement on
>>>>>>> a  very
>>>>>>> weak and insecure area.
>>>>>>>
>>>>>>> Ray
>>>>>>>
>>>>>>>
>>>>>>> Dan Shields wrote:
>>>>>>>> Thanks Jacques.   Is there any further action by me that might be
>>>>>>>> advised?   I was wondering because I was considering declaring a
>>>>>>>> referendum on the issue on the user list as per David Jones'
>>>>>>>> suggestion.
>>>>>>>>
>>>>>>>> Wow I guess that what we have here is "the absence of this new
>>>>>>>> feature
>>>>>>>> is a bug".
>>>>>>>>
>>>>>>>> I must say, the dev-debate that it has inspired has been
>> impressive!
>>>>>>>> There are good arguments both for viewing the patch as a bug, as
>>>>>>>> well
>>>>>>>> as equally good arguments for viewing it as a feature.  It really
>>>>>>>> surprised me because up until that point in time (when I blindly
>>>>>>>> stumbled into this) my view was entirely to think about it as a bug
>>>>>>>> only.  The author of OFBIZ-1106 never knew the difference between
>>>>>>>> 'code that failed to hide the password' and 'the complete absence
>> of
>>>>>>>> code that successfully hid the password', he just knew that the
>>>>>>>> software did not do 'as it should', and this was exactly my point
>> of
>>>>>>>> view in devising a solution as well.  It requires a strong
>>>>>>>> metaphysical argument to even tell the difference between the
>> points
>>>>>>>> of fact that might exist in the software that would reveal the
>>>>>>>> actual
>>>>>>>> intent of the original design.  My feeling is that it was either
>>>>>>>> overlooked accidentally, or it was not convenient to declare the
>> XUI
>>>>>>>> XPage in a manner that made sense to have both regular input and
>>>>>>>> password input in the same node of the tree but at different times
>>>>>>>> (this convenience is what I provided in the patch).
>>>>>>>>
>>>>>>>> As I said above I am willing to take this to the user list and
>>>>>>>> invite
>>>>>>>> all users who run a release4.0 branch to submit an accept/reject
>>>>>>>> vote,
>>>>>>>> as I think this feature/bug (or bug/feature) is important enough to
>>>>>>>> the success of release4.0 to warrant.
>>>>>>>>
>>>>>>>> I am happily sitting on the fence and content to let this issue go
>>>>>>>> either way.  I am finding it fascinating.
>>>>>>>>
>>>>>>>> Cheers all
>>>>>>>> Dan
>>>>>>>>
>>>>>>>>
>>>>
>>>
>>>
>>>
>
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.16.0/1135 - Release Date: 11/16/2007 10:58 PM

>
> Regards
> Scott
>
> On 17/11/2007, BJ Freeman <[hidden email]> wrote:
> >
> > about a month ago david ask the community for feed back on those that
> > have 4.0 in production.
> > I have not see that much feed back about it so apparently there are not
> > that many using it in production.
> > I believe once more report that they are using 4.0 in production and are
> > not running into problems that would the be point to freeze it and
> > release.
> >
> >
> >
> > Jonathon -- Improov sent the following on 11/16/2007 7:18 PM:
> > > Well, clearchris has a point. Is there a defined release date for 4.0?
> > >
> > > It depends on the management's view of OFBiz 4.0. If it is considered
> > > alpha, go on ahead and insert any amount of enhancements into it. But if
> > > it is considered beta, it would be good to be strict about things, and
> > > pop in only bug fixes.
> > >
> > > The question to ask is whether management intends for OFBiz 4.0 to be
> > > frozen or not. Is it released/published already or not? If it is
> > > considered already published, I'd really like to see further
> > > enhancements in OFBiz 4.1. From a psychological perspective, it's
> > > exciting to see OFBiz 4.1, rather than see OFBiz 4.0 improve
> > > tremendously "behind-the-scenes" over one long year.
> > >
> > > Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10
> > > months ago, but the 4.0 then is a far cry from the 4.0 now!". It'd be
> > > easier saying: "Boss, we now have OFBiz 4.4. Here are the list of
> > > improvements over 4.0.".
> > >
> > > Then some folks may say that OFBiz 4.0 as it is now is unusable, that no
> > > one in right mind will use 4.0 given the horrible security issue
> > > outstanding. What then? I say, we let 4.0 die. Time to move on! 4.0 was
> > > published, management should stick to that decision. Roll out the next
> > > version!
> > >
> > > Now on to technical considerations. SVN branches are "hotlinked", ie
> > > branching 4.1 from 4.0 only creates a cheap reference to 4.0, not an
> > > entire copy of 4.0. Any changes to 4.1 will then take up further
> > > harddisk space, so only deltas above 4.0 are stored on disk. There will
> > > still be only *one* copy of the entire 4.0 code.
> > >
> > > Now we question whether there'll be tons of confusion if we roll out a
> > > whole army of the 4.x family. The crucial thing we *must* do is to make
> > > sure the 4.x family are fully compatible with one another such that
> > > upgrading/downgrading along the family line requires zero migration
> > > effort. Also, make sure that any bug fixes can be *uniformly* applied
> > > across the whole family. What that also means is any enhancements that
> > > are too radical and that may break above requirement cannot be put into
> > > the 4.x family.
> > >
> > > So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A
> > > non-techie person can say "I found the bug in 4.0". So he didn't have
> > > time to upgrade to 4.1, or maybe 4.1 is an unlucky number for him. Then
> > > the response we give him? "Sir, have you gotten the latest updates for
> > > 4.0"? He either says "no" and he updates and retest, or he says "yes"
> > > and we hunt for the bug in that *specific release version that is 4.0*!
> > > Or if we want to, we could say that "4.0 is dead, please use 4.2".
> > >
> > > In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all
> > > sorts of enhancements as long as they don't break backward-compatibility
> > > with 4.0. OFBiz 4.0 continues beta, until such time that it is
> > > super-bugfree. We'll have a series of 4.x members, with the earlier ones
> > > getting more stable than the later ones (later ones take in risky new
> > > enhancements). How will that happen? Anyone finding a bug in the latest
> > > 4.x member can also apply the similar bug fix to 4.0 (or 4.y where y <
> > > x). The bug fixes cascade down to earlier 4.x members, making them more
> > > stable over time, even as the community tests only the newest 4.xmember.
> > >
> > > Throughout the whole 4.x lineage, no extra harddisk space is taken up.
> > > SVN makes cheap "copies". Only deltas are stored.
> > >
> > > Is that clearly explained? Or did I just confuse version control with
> > > cake-baking?
> > >
> > > Jonathon
> > >
> > > Jacques Le Roux wrote:
> > >> Finally, have we an idea about what to do :o)
> > >>
> > >> Do we need a vote for this ? Maybe a generalisation for "security"
> > >> case as features to back port in any case ?
> > >> Create release4.0 (and later when they will come) branches as proposed
> > >> by Jonathon ?
> > >>
> > >> Jacques
> > >>
> > >> De : "clearchris" <[hidden email]>
> > >>> I had no idea the can of worms this would open up when I entered the
> > >>> issue.
> > >>>
> > >>> I come down on the side of wanting this patch in the release branch.
> > >>>
> > >>> Further, as there is no defined release date for 4.0, I would
> > >>> consider it
> > >>> still open for very high-priority issues that are not traditionally
> > >>> defined
> > >>> as "bugs".  Ofbiz customers, if they are using the release branch in
> > >>> production or close to production would probably do well to lag a bit
> > >>> and
> > >>> run with an older revision of the release branch.  Regressions can
> > >>> always be
> > >>> an issue, even with bug "fixes".
> > >>>
> > >>> Chris
> > >>>
> > >>> -----Original Message-----
> > >>> From: David E Jones [mailto:[hidden email]] Sent: Thursday,
> > >>> November 15, 2007 4:11 PM
> > >>> To: [hidden email]
> > >>> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
> > >>>
> > >>>
> > >>> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
> > >>>
> > >>>> Using that logic, you could say that almost any previous bugs were
> > >>>> really "as-implemented" features and no changes should ever be made
> > to
> > >>>> the current release branch.
> > >>>> If it was found somewhere in ofbiz that sensitive information was
> > >>>> submitted over http instead of https, would that be considered a bug?
> > >>>> Or would it be discounted as "well, it's a bad choice but that's
> > >>>> how  it
> > >>>> was implemented"?
> > >>>>
> > >>>> I understand that the difficult thing about this is that the bug/
> > >>>> feature
> > >>>> line has to be drawn somewhere.  (I know where I'd draw it,
> > especially
> > >>>> on security related issues.)
> > >>> It's really not that tough... As I described in depth in my previous
> > >>> post in this thread there is no need to muddy the meaning of "bug".
> > >>>
> > >>> Maybe the word you are looking for is "issue"?
> > >>>
> > >>> This isn't a "bug" per-se, but certainly an "issue" and solving that
> > >>> issue requires a new feature. That doesn't mean it can't go into the
> > >>> release branch, but non-bug-fixes should be carefully considered
> > >>> before being added.
> > >>>
> > >>>> I'm curious to see how things pan out on this.  It will tell me how
> > >>>> seriously security is taken by the people driving ofbiz.
> > >>> This is a common misconception. There are no "people driving ofbiz".
> > >>>
> > >>> OFBiz is a community-driven project and things happen when a user
> > >>> needs something, implements it, and contributes it back to the
> > >>> project. Even committers on OFBiz are just users who have a long
> > >>> history of contributions and are invited to be committers to
> > >>> facilitate further involvement.
> > >>>
> > >>> Security or not, things will only be fixed if someone cares enough.
> > >>> The flip side of that is that if someone doesn't like how something
> > >>> is  in OFBiz and they don't do anything about it, they have only
> > >>> themselves to blame, as uncomfortable and frighteningly empowering
> > >>> as  that may be. ;)
> > >>>
> > >>> -David
> > >>>
> > >>>
> > >>>> Ray Barlow wrote:
> > >>>>> As you say plenty of good points so rather than repeat lengthy
> > >>>>> arguments
> > >>>>> for or against I'll keep it simple and just say I don't think it
> > >>>>> should
> > >>>>> be described as a bug as it was implemented this way. Bad choice
> > >>>>> maybe
> > >>>>> but it's a feature change.
> > >>>>>
> > >>>>> Having said that I do think it should be seriously considered for
> > the
> > >>>>> release branch because of it's small footprint and improvement on
> > >>>>> a  very
> > >>>>> weak and insecure area.
> > >>>>>
> > >>>>> Ray
> > >>>>>
> > >>>>>
> > >>>>> Dan Shields wrote:
> > >>>>>> Thanks Jacques.   Is there any further action by me that might be
> > >>>>>> advised?   I was wondering because I was considering declaring a
> > >>>>>> referendum on the issue on the user list as per David Jones'
> > >>>>>> suggestion.
> > >>>>>>
> > >>>>>> Wow I guess that what we have here is "the absence of this new
> > >>>>>> feature
> > >>>>>> is a bug".
> > >>>>>>
> > >>>>>> I must say, the dev-debate that it has inspired has been
> > impressive!
> > >>>>>> There are good arguments both for viewing the patch as a bug, as
> > >>>>>> well
> > >>>>>> as equally good arguments for viewing it as a feature.  It really
> > >>>>>> surprised me because up until that point in time (when I blindly
> > >>>>>> stumbled into this) my view was entirely to think about it as a bug
> > >>>>>> only.  The author of OFBIZ-1106 never knew the difference between
> > >>>>>> 'code that failed to hide the password' and 'the complete absence
> > of
> > >>>>>> code that successfully hid the password', he just knew that the
> > >>>>>> software did not do 'as it should', and this was exactly my point
> > of
> > >>>>>> view in devising a solution as well.  It requires a strong
> > >>>>>> metaphysical argument to even tell the difference between the
> > points
> > >>>>>> of fact that might exist in the software that would reveal the
> > >>>>>> actual
> > >>>>>> intent of the original design.  My feeling is that it was either
> > >>>>>> overlooked accidentally, or it was not convenient to declare the
> > XUI
> > >>>>>> XPage in a manner that made sense to have both regular input and
> > >>>>>> password input in the same node of the tree but at different times
> > >>>>>> (this convenience is what I provided in the patch).
> > >>>>>>
> > >>>>>> As I said above I am willing to take this to the user list and
> > >>>>>> invite
> > >>>>>> all users who run a release4.0 branch to submit an accept/reject
> > >>>>>> vote,
> > >>>>>> as I think this feature/bug (or bug/feature) is important enough to
> > >>>>>> the success of release4.0 to warrant.
> > >>>>>>
> > >>>>>> I am happily sitting on the fence and content to let this issue go
> > >>>>>> either way.  I am finding it fascinating.
> > >>>>>>
> > >>>>>> Cheers all
> > >>>>>> Dan
> > >>>>>>
> > >>>>>>
> > >>>
> > >>
> > >>
> > >
> > >
> > >
> > >
> >
>

> Well, clearchris has a point. Is there a defined release date for 4.0?
>
> It depends on the management's view of OFBiz 4.0. If it is considered alpha, go on ahead and
> insert any amount of enhancements into it. But if it is considered beta, it would be good to be
> strict about things, and pop in only bug fixes.
>
> The question to ask is whether management intends for OFBiz 4.0 to be frozen or not. Is it
> released/published already or not? If it is considered already published, I'd really like to see
> further enhancements in OFBiz 4.1. From a psychological perspective, it's exciting to see OFBiz
> 4.1, rather than see OFBiz 4.0 improve tremendously "behind-the-scenes" over one long year.
>
> Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10 months ago, but the 4.0
> then is a far cry from the 4.0 now!". It'd be easier saying: "Boss, we now have OFBiz 4.4. Here
> are the list of improvements over 4.0.".
>
> Then some folks may say that OFBiz 4.0 as it is now is unusable, that no one in right mind will
> use 4.0 given the horrible security issue outstanding. What then? I say, we let 4.0 die. Time to
> move on! 4.0 was published, management should stick to that decision. Roll out the next version!
>
> Now on to technical considerations. SVN branches are "hotlinked", ie branching 4.1 from 4.0 only
> creates a cheap reference to 4.0, not an entire copy of 4.0. Any changes to 4.1 will then take up
> further harddisk space, so only deltas above 4.0 are stored on disk. There will still be only
> *one* copy of the entire 4.0 code.
>
> Now we question whether there'll be tons of confusion if we roll out a whole army of the 4.x
> family. The crucial thing we *must* do is to make sure the 4.x family are fully compatible with
> one another such that upgrading/downgrading along the family line requires zero migration effort.
> Also, make sure that any bug fixes can be *uniformly* applied across the whole family. What that
> also means is any enhancements that are too radical and that may break above requirement cannot be
> put into the 4.x family.
>
> So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A non-techie person can say "I
> found the bug in 4.0". So he didn't have time to upgrade to 4.1, or maybe 4.1 is an unlucky number
> for him. Then the response we give him? "Sir, have you gotten the latest updates for 4.0"? He
> either says "no" and he updates and retest, or he says "yes" and we hunt for the bug in that
> *specific release version that is 4.0*! Or if we want to, we could say that "4.0 is dead, please
> use 4.2".
>
> In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all sorts of enhancements as
> long as they don't break backward-compatibility with 4.0. OFBiz 4.0 continues beta, until such
> time that it is super-bugfree. We'll have a series of 4.x members, with the earlier ones getting
> more stable than the later ones (later ones take in risky new enhancements). How will that happen?
> Anyone finding a bug in the latest 4.x member can also apply the similar bug fix to 4.0 (or 4.y
> where y < x). The bug fixes cascade down to earlier 4.x members, making them more stable over
> time, even as the community tests only the newest 4.x member.
>
> Throughout the whole 4.x lineage, no extra harddisk space is taken up. SVN makes cheap "copies".
> Only deltas are stored.
>
> Is that clearly explained? Or did I just confuse version control with cake-baking?
>
> Jonathon
>
> Jacques Le Roux wrote:
> > Finally, have we an idea about what to do :o)
> >
> > Do we need a vote for this ?
> > Maybe a generalisation for "security" case as features to back port in any case ?
> > Create release4.0 (and later when they will come) branches as proposed by Jonathon ?
> >
> > Jacques
> >
> > De : "clearchris" <[hidden email]>
> >> I had no idea the can of worms this would open up when I entered the issue.
> >>
> >> I come down on the side of wanting this patch in the release branch.
> >>
> >> Further, as there is no defined release date for 4.0, I would consider it
> >> still open for very high-priority issues that are not traditionally defined
> >> as "bugs".  Ofbiz customers, if they are using the release branch in
> >> production or close to production would probably do well to lag a bit and
> >> run with an older revision of the release branch.  Regressions can always be
> >> an issue, even with bug "fixes".
> >>
> >> Chris
> >>
> >> -----Original Message-----
> >> From: David E Jones [mailto:[hidden email]]
> >> Sent: Thursday, November 15, 2007 4:11 PM
> >> To: [hidden email]
> >> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
> >>
> >>
> >> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
> >>
> >>> Using that logic, you could say that almost any previous bugs were
> >>> really "as-implemented" features and no changes should ever be made to
> >>> the current release branch.
> >>> If it was found somewhere in ofbiz that sensitive information was
> >>> submitted over http instead of https, would that be considered a bug?
> >>> Or would it be discounted as "well, it's a bad choice but that's how
> >>> it
> >>> was implemented"?
> >>>
> >>> I understand that the difficult thing about this is that the bug/
> >>> feature
> >>> line has to be drawn somewhere.  (I know where I'd draw it, especially
> >>> on security related issues.)
> >> It's really not that tough... As I described in depth in my previous
> >> post in this thread there is no need to muddy the meaning of "bug".
> >>
> >> Maybe the word you are looking for is "issue"?
> >>
> >> This isn't a "bug" per-se, but certainly an "issue" and solving that
> >> issue requires a new feature. That doesn't mean it can't go into the
> >> release branch, but non-bug-fixes should be carefully considered
> >> before being added.
> >>
> >>> I'm curious to see how things pan out on this.  It will tell me how
> >>> seriously security is taken by the people driving ofbiz.
> >> This is a common misconception. There are no "people driving ofbiz".
> >>
> >> OFBiz is a community-driven project and things happen when a user
> >> needs something, implements it, and contributes it back to the
> >> project. Even committers on OFBiz are just users who have a long
> >> history of contributions and are invited to be committers to
> >> facilitate further involvement.
> >>
> >> Security or not, things will only be fixed if someone cares enough.
> >> The flip side of that is that if someone doesn't like how something is
> >> in OFBiz and they don't do anything about it, they have only
> >> themselves to blame, as uncomfortable and frighteningly empowering as
> >> that may be. ;)
> >>
> >> -David
> >>
> >>
> >>> Ray Barlow wrote:
> >>>> As you say plenty of good points so rather than repeat lengthy
> >>>> arguments
> >>>> for or against I'll keep it simple and just say I don't think it
> >>>> should
> >>>> be described as a bug as it was implemented this way. Bad choice
> >>>> maybe
> >>>> but it's a feature change.
> >>>>
> >>>> Having said that I do think it should be seriously considered for the
> >>>> release branch because of it's small footprint and improvement on a
> >>>> very
> >>>> weak and insecure area.
> >>>>
> >>>> Ray
> >>>>
> >>>>
> >>>> Dan Shields wrote:
> >>>>> Thanks Jacques.   Is there any further action by me that might be
> >>>>> advised?   I was wondering because I was considering declaring a
> >>>>> referendum on the issue on the user list as per David Jones'
> >>>>> suggestion.
> >>>>>
> >>>>> Wow I guess that what we have here is "the absence of this new
> >>>>> feature
> >>>>> is a bug".
> >>>>>
> >>>>> I must say, the dev-debate that it has inspired has been impressive!
> >>>>> There are good arguments both for viewing the patch as a bug, as
> >>>>> well
> >>>>> as equally good arguments for viewing it as a feature.  It really
> >>>>> surprised me because up until that point in time (when I blindly
> >>>>> stumbled into this) my view was entirely to think about it as a bug
> >>>>> only.  The author of OFBIZ-1106 never knew the difference between
> >>>>> 'code that failed to hide the password' and 'the complete absence of
> >>>>> code that successfully hid the password', he just knew that the
> >>>>> software did not do 'as it should', and this was exactly my point of
> >>>>> view in devising a solution as well.  It requires a strong
> >>>>> metaphysical argument to even tell the difference between the points
> >>>>> of fact that might exist in the software that would reveal the
> >>>>> actual
> >>>>> intent of the original design.  My feeling is that it was either
> >>>>> overlooked accidentally, or it was not convenient to declare the XUI
> >>>>> XPage in a manner that made sense to have both regular input and
> >>>>> password input in the same node of the tree but at different times
> >>>>> (this convenience is what I provided in the patch).
> >>>>>
> >>>>> As I said above I am willing to take this to the user list and
> >>>>> invite
> >>>>> all users who run a release4.0 branch to submit an accept/reject
> >>>>> vote,
> >>>>> as I think this feature/bug (or bug/feature) is important enough to
> >>>>> the success of release4.0 to warrant.
> >>>>>
> >>>>> I am happily sitting on the fence and content to let this issue go
> >>>>> either way.  I am finding it fascinating.
> >>>>>
> >>>>> Cheers all
> >>>>> Dan
> >>>>>
> >>>>>
> >>
> >
> >
>

> Thanks Jonathon,
>
> This is clearly explained, no doubt. Waiting now for opinions because this means more work for commiters and we should be sure we
> want to go for that.
> I guess the main reason we are doing as it's now is explained in
> http://docs.ofbiz.org/display/OFBADMIN/Release+Plan#ReleasePlan-GeneralReleasePolicies
> Notably <<Once a release branch stabilizes an initial "stable" release tag and pre-built package will be issued>>
>
> Always the man power issue, though as I'm not a svn branch expert I may not understand something here (I seems easier to me to put a
> tag on a branch than to have to deal with multi sub-branches) ?
>
> My question remains : patching security holes should be considered as bug fixes ? It seems that for POS users it's yes, but only in
> this case ? Should we not change our release policy about that point ?
> My opininon is yes : we should consider that fixing an *obvious* security hole is like fixing a bug. Because it's not a logical bug
> but a functionnal one. But this concept of "functionnal bug" should not be applied/used outside of security range else we would
> really then open a can of worms !
>
> Jacques
>
>> Well, clearchris has a point. Is there a defined release date for 4.0?
>>
>> It depends on the management's view of OFBiz 4.0. If it is considered alpha, go on ahead and
>> insert any amount of enhancements into it. But if it is considered beta, it would be good to be
>> strict about things, and pop in only bug fixes.
>>
>> The question to ask is whether management intends for OFBiz 4.0 to be frozen or not. Is it
>> released/published already or not? If it is considered already published, I'd really like to see
>> further enhancements in OFBiz 4.1. From a psychological perspective, it's exciting to see OFBiz
>> 4.1, rather than see OFBiz 4.0 improve tremendously "behind-the-scenes" over one long year.
>>
>> Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10 months ago, but the 4.0
>> then is a far cry from the 4.0 now!". It'd be easier saying: "Boss, we now have OFBiz 4.4. Here
>> are the list of improvements over 4.0.".
>>
>> Then some folks may say that OFBiz 4.0 as it is now is unusable, that no one in right mind will
>> use 4.0 given the horrible security issue outstanding. What then? I say, we let 4.0 die. Time to
>> move on! 4.0 was published, management should stick to that decision. Roll out the next version!
>>
>> Now on to technical considerations. SVN branches are "hotlinked", ie branching 4.1 from 4.0 only
>> creates a cheap reference to 4.0, not an entire copy of 4.0. Any changes to 4.1 will then take up
>> further harddisk space, so only deltas above 4.0 are stored on disk. There will still be only
>> *one* copy of the entire 4.0 code.
>>
>> Now we question whether there'll be tons of confusion if we roll out a whole army of the 4.x
>> family. The crucial thing we *must* do is to make sure the 4.x family are fully compatible with
>> one another such that upgrading/downgrading along the family line requires zero migration effort.
>> Also, make sure that any bug fixes can be *uniformly* applied across the whole family. What that
>> also means is any enhancements that are too radical and that may break above requirement cannot be
>> put into the 4.x family.
>>
>> So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A non-techie person can say "I
>> found the bug in 4.0". So he didn't have time to upgrade to 4.1, or maybe 4.1 is an unlucky number
>> for him. Then the response we give him? "Sir, have you gotten the latest updates for 4.0"? He
>> either says "no" and he updates and retest, or he says "yes" and we hunt for the bug in that
>> *specific release version that is 4.0*! Or if we want to, we could say that "4.0 is dead, please
>> use 4.2".
>>
>> In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all sorts of enhancements as
>> long as they don't break backward-compatibility with 4.0. OFBiz 4.0 continues beta, until such
>> time that it is super-bugfree. We'll have a series of 4.x members, with the earlier ones getting
>> more stable than the later ones (later ones take in risky new enhancements). How will that happen?
>> Anyone finding a bug in the latest 4.x member can also apply the similar bug fix to 4.0 (or 4.y
>> where y < x). The bug fixes cascade down to earlier 4.x members, making them more stable over
>> time, even as the community tests only the newest 4.x member.
>>
>> Throughout the whole 4.x lineage, no extra harddisk space is taken up. SVN makes cheap "copies".
>> Only deltas are stored.
>>
>> Is that clearly explained? Or did I just confuse version control with cake-baking?
>>
>> Jonathon
>>
>> Jacques Le Roux wrote:
>>> Finally, have we an idea about what to do :o)
>>>
>>> Do we need a vote for this ?
>>> Maybe a generalisation for "security" case as features to back port in any case ?
>>> Create release4.0 (and later when they will come) branches as proposed by Jonathon ?
>>>
>>> Jacques
>>>
>>> De : "clearchris" <[hidden email]>
>>>> I had no idea the can of worms this would open up when I entered the issue.
>>>>
>>>> I come down on the side of wanting this patch in the release branch.
>>>>
>>>> Further, as there is no defined release date for 4.0, I would consider it
>>>> still open for very high-priority issues that are not traditionally defined
>>>> as "bugs".  Ofbiz customers, if they are using the release branch in
>>>> production or close to production would probably do well to lag a bit and
>>>> run with an older revision of the release branch.  Regressions can always be
>>>> an issue, even with bug "fixes".
>>>>
>>>> Chris
>>>>
>>>> -----Original Message-----
>>>> From: David E Jones [mailto:[hidden email]]
>>>> Sent: Thursday, November 15, 2007 4:11 PM
>>>> To: [hidden email]
>>>> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
>>>>
>>>>
>>>> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
>>>>
>>>>> Using that logic, you could say that almost any previous bugs were
>>>>> really "as-implemented" features and no changes should ever be made to
>>>>> the current release branch.
>>>>> If it was found somewhere in ofbiz that sensitive information was
>>>>> submitted over http instead of https, would that be considered a bug?
>>>>> Or would it be discounted as "well, it's a bad choice but that's how
>>>>> it
>>>>> was implemented"?
>>>>>
>>>>> I understand that the difficult thing about this is that the bug/
>>>>> feature
>>>>> line has to be drawn somewhere.  (I know where I'd draw it, especially
>>>>> on security related issues.)
>>>> It's really not that tough... As I described in depth in my previous
>>>> post in this thread there is no need to muddy the meaning of "bug".
>>>>
>>>> Maybe the word you are looking for is "issue"?
>>>>
>>>> This isn't a "bug" per-se, but certainly an "issue" and solving that
>>>> issue requires a new feature. That doesn't mean it can't go into the
>>>> release branch, but non-bug-fixes should be carefully considered
>>>> before being added.
>>>>
>>>>> I'm curious to see how things pan out on this.  It will tell me how
>>>>> seriously security is taken by the people driving ofbiz.
>>>> This is a common misconception. There are no "people driving ofbiz".
>>>>
>>>> OFBiz is a community-driven project and things happen when a user
>>>> needs something, implements it, and contributes it back to the
>>>> project. Even committers on OFBiz are just users who have a long
>>>> history of contributions and are invited to be committers to
>>>> facilitate further involvement.
>>>>
>>>> Security or not, things will only be fixed if someone cares enough.
>>>> The flip side of that is that if someone doesn't like how something is
>>>> in OFBiz and they don't do anything about it, they have only
>>>> themselves to blame, as uncomfortable and frighteningly empowering as
>>>> that may be. ;)
>>>>
>>>> -David
>>>>
>>>>
>>>>> Ray Barlow wrote:
>>>>>> As you say plenty of good points so rather than repeat lengthy
>>>>>> arguments
>>>>>> for or against I'll keep it simple and just say I don't think it
>>>>>> should
>>>>>> be described as a bug as it was implemented this way. Bad choice
>>>>>> maybe
>>>>>> but it's a feature change.
>>>>>>
>>>>>> Having said that I do think it should be seriously considered for the
>>>>>> release branch because of it's small footprint and improvement on a
>>>>>> very
>>>>>> weak and insecure area.
>>>>>>
>>>>>> Ray
>>>>>>
>>>>>>
>>>>>> Dan Shields wrote:
>>>>>>> Thanks Jacques.   Is there any further action by me that might be
>>>>>>> advised?   I was wondering because I was considering declaring a
>>>>>>> referendum on the issue on the user list as per David Jones'
>>>>>>> suggestion.
>>>>>>>
>>>>>>> Wow I guess that what we have here is "the absence of this new
>>>>>>> feature
>>>>>>> is a bug".
>>>>>>>
>>>>>>> I must say, the dev-debate that it has inspired has been impressive!
>>>>>>> There are good arguments both for viewing the patch as a bug, as
>>>>>>> well
>>>>>>> as equally good arguments for viewing it as a feature.  It really
>>>>>>> surprised me because up until that point in time (when I blindly
>>>>>>> stumbled into this) my view was entirely to think about it as a bug
>>>>>>> only.  The author of OFBIZ-1106 never knew the difference between
>>>>>>> 'code that failed to hide the password' and 'the complete absence of
>>>>>>> code that successfully hid the password', he just knew that the
>>>>>>> software did not do 'as it should', and this was exactly my point of
>>>>>>> view in devising a solution as well.  It requires a strong
>>>>>>> metaphysical argument to even tell the difference between the points
>>>>>>> of fact that might exist in the software that would reveal the
>>>>>>> actual
>>>>>>> intent of the original design.  My feeling is that it was either
>>>>>>> overlooked accidentally, or it was not convenient to declare the XUI
>>>>>>> XPage in a manner that made sense to have both regular input and
>>>>>>> password input in the same node of the tree but at different times
>>>>>>> (this convenience is what I provided in the patch).
>>>>>>>
>>>>>>> As I said above I am willing to take this to the user list and
>>>>>>> invite
>>>>>>> all users who run a release4.0 branch to submit an accept/reject
>>>>>>> vote,
>>>>>>> as I think this feature/bug (or bug/feature) is important enough to
>>>>>>> the success of release4.0 to warrant.
>>>>>>>
>>>>>>> I am happily sitting on the fence and content to let this issue go
>>>>>>> either way.  I am finding it fascinating.
>>>>>>>
>>>>>>> Cheers all
>>>>>>> Dan
>>>>>>>
>>>>>>>
>>>
>
>

> Jonathon,
>
> I just re-read you message below and I'm not quite sure to understand because for me a tag is just a name for a revision number.
>
> I wrote
>>> Notably <<Once a release branch stabilizes an initial "stable" release tag
>>  > and pre-built package will be issued>>
>
> You answered
>> What this means is:
>>
>> 1. Receive fixes for OFBiz 4.0 branch (it's a progressing branch)
> ok
>
>> 2. Stabilize OFBiz 4.0 branch (time to freeze)
> ok
>
>> 3. Fork a new branch called OFBiz 4.0.stable (non-progressing branch)
> ok
>> That's the meaning of "tag" in SVN. In fact, "tag" in CVS is about the same (effected with
>> "branching"), just that CVS branching is not the same "cheap copies" as in SVN.
> Do you mean that a tag is also a lazy copie like branches are ?
>
>>  > though as I'm not a svn branch expert I may not understand something here (I
>>  > seems easier to me to put a tag on a branch than to have to deal with multi
>>  > sub-branches) ?
>>
>> It's the same. A "tag" is simply a branch that (by policy and self-discipline) is never updated,
>> never changed.
> For me this is 2 differents things. A tag is a named revision number (in trunk or branches), a branch is a copy made at some point
> from the trunk (initially) or another branch (thereafter)
>> A "branch" is a branch that continues to grow.
>>
>> Think of a "tag" as a teeny tiny branch that serves as a "marker", a stub that never grows.
> Then maybe it's only a vocabulary issue between us. You use tag for a frozen branch, which indeed makes sense in a way.
>
> BTW I think the time is coming to answer questions like in
> http://docs.ofbiz.org/display/OFBADMIN/Demo+and+Test+Setup+Guide?focusedCommentId=2604#comment-2604
>
> What to you think, you developpers ?
>
> Jacques
>
>