> Thanks Jonathon,
>
> This is clearly explained, no doubt. Waiting now for opinions because this means more work for commiters and we should be sure we
> want to go for that.
> I guess the main reason we are doing as it's now is explained in
> http://docs.ofbiz.org/display/OFBADMIN/Release+Plan#ReleasePlan-GeneralReleasePolicies
> Notably <<Once a release branch stabilizes an initial "stable" release tag and pre-built package will be issued>>
>
> Always the man power issue, though as I'm not a svn branch expert I may not understand something here (I seems easier to me to put a
> tag on a branch than to have to deal with multi sub-branches) ?
>
> My question remains : patching security holes should be considered as bug fixes ? It seems that for POS users it's yes, but only in
> this case ? Should we not change our release policy about that point ?
> My opininon is yes : we should consider that fixing an *obvious* security hole is like fixing a bug. Because it's not a logical bug
> but a functionnal one. But this concept of "functionnal bug" should not be applied/used outside of security range else we would
> really then open a can of worms !
>
> Jacques
>
>> Well, clearchris has a point. Is there a defined release date for 4.0?
>>
>> It depends on the management's view of OFBiz 4.0. If it is considered alpha, go on ahead and
>> insert any amount of enhancements into it. But if it is considered beta, it would be good to be
>> strict about things, and pop in only bug fixes.
>>
>> The question to ask is whether management intends for OFBiz 4.0 to be frozen or not. Is it
>> released/published already or not? If it is considered already published, I'd really like to see
>> further enhancements in OFBiz 4.1. From a psychological perspective, it's exciting to see OFBiz
>> 4.1, rather than see OFBiz 4.0 improve tremendously "behind-the-scenes" over one long year.
>>
>> Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10 months ago, but the 4.0
>> then is a far cry from the 4.0 now!". It'd be easier saying: "Boss, we now have OFBiz 4.4. Here
>> are the list of improvements over 4.0.".
>>
>> Then some folks may say that OFBiz 4.0 as it is now is unusable, that no one in right mind will
>> use 4.0 given the horrible security issue outstanding. What then? I say, we let 4.0 die. Time to
>> move on! 4.0 was published, management should stick to that decision. Roll out the next version!
>>
>> Now on to technical considerations. SVN branches are "hotlinked", ie branching 4.1 from 4.0 only
>> creates a cheap reference to 4.0, not an entire copy of 4.0. Any changes to 4.1 will then take up
>> further harddisk space, so only deltas above 4.0 are stored on disk. There will still be only
>> *one* copy of the entire 4.0 code.
>>
>> Now we question whether there'll be tons of confusion if we roll out a whole army of the 4.x
>> family. The crucial thing we *must* do is to make sure the 4.x family are fully compatible with
>> one another such that upgrading/downgrading along the family line requires zero migration effort.
>> Also, make sure that any bug fixes can be *uniformly* applied across the whole family. What that
>> also means is any enhancements that are too radical and that may break above requirement cannot be
>> put into the 4.x family.
>>
>> So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A non-techie person can say "I
>> found the bug in 4.0". So he didn't have time to upgrade to 4.1, or maybe 4.1 is an unlucky number
>> for him. Then the response we give him? "Sir, have you gotten the latest updates for 4.0"? He
>> either says "no" and he updates and retest, or he says "yes" and we hunt for the bug in that
>> *specific release version that is 4.0*! Or if we want to, we could say that "4.0 is dead, please
>> use 4.2".
>>
>> In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all sorts of enhancements as
>> long as they don't break backward-compatibility with 4.0. OFBiz 4.0 continues beta, until such
>> time that it is super-bugfree. We'll have a series of 4.x members, with the earlier ones getting
>> more stable than the later ones (later ones take in risky new enhancements). How will that happen?
>> Anyone finding a bug in the latest 4.x member can also apply the similar bug fix to 4.0 (or 4.y
>> where y < x). The bug fixes cascade down to earlier 4.x members, making them more stable over
>> time, even as the community tests only the newest 4.x member.
>>
>> Throughout the whole 4.x lineage, no extra harddisk space is taken up. SVN makes cheap "copies".
>> Only deltas are stored.
>>
>> Is that clearly explained? Or did I just confuse version control with cake-baking?
>>
>> Jonathon
>>
>> Jacques Le Roux wrote:
>>> Finally, have we an idea about what to do :o)
>>>
>>> Do we need a vote for this ?
>>> Maybe a generalisation for "security" case as features to back port in any case ?
>>> Create release4.0 (and later when they will come) branches as proposed by Jonathon ?
>>>
>>> Jacques
>>>
>>> De : "clearchris" <[hidden email]>
>>>> I had no idea the can of worms this would open up when I entered the issue.
>>>>
>>>> I come down on the side of wanting this patch in the release branch.
>>>>
>>>> Further, as there is no defined release date for 4.0, I would consider it
>>>> still open for very high-priority issues that are not traditionally defined
>>>> as "bugs".  Ofbiz customers, if they are using the release branch in
>>>> production or close to production would probably do well to lag a bit and
>>>> run with an older revision of the release branch.  Regressions can always be
>>>> an issue, even with bug "fixes".
>>>>
>>>> Chris
>>>>
>>>> -----Original Message-----
>>>> From: David E Jones [mailto:[hidden email]]
>>>> Sent: Thursday, November 15, 2007 4:11 PM
>>>> To: [hidden email]
>>>> Subject: Re: release4.0: OFBIZ-1106 (in or out?)
>>>>
>>>>
>>>> On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
>>>>
>>>>> Using that logic, you could say that almost any previous bugs were
>>>>> really "as-implemented" features and no changes should ever be made to
>>>>> the current release branch.
>>>>> If it was found somewhere in ofbiz that sensitive information was
>>>>> submitted over http instead of https, would that be considered a bug?
>>>>> Or would it be discounted as "well, it's a bad choice but that's how
>>>>> it
>>>>> was implemented"?
>>>>>
>>>>> I understand that the difficult thing about this is that the bug/
>>>>> feature
>>>>> line has to be drawn somewhere.  (I know where I'd draw it, especially
>>>>> on security related issues.)
>>>> It's really not that tough... As I described in depth in my previous
>>>> post in this thread there is no need to muddy the meaning of "bug".
>>>>
>>>> Maybe the word you are looking for is "issue"?
>>>>
>>>> This isn't a "bug" per-se, but certainly an "issue" and solving that
>>>> issue requires a new feature. That doesn't mean it can't go into the
>>>> release branch, but non-bug-fixes should be carefully considered
>>>> before being added.
>>>>
>>>>> I'm curious to see how things pan out on this.  It will tell me how
>>>>> seriously security is taken by the people driving ofbiz.
>>>> This is a common misconception. There are no "people driving ofbiz".
>>>>
>>>> OFBiz is a community-driven project and things happen when a user
>>>> needs something, implements it, and contributes it back to the
>>>> project. Even committers on OFBiz are just users who have a long
>>>> history of contributions and are invited to be committers to
>>>> facilitate further involvement.
>>>>
>>>> Security or not, things will only be fixed if someone cares enough.
>>>> The flip side of that is that if someone doesn't like how something is
>>>> in OFBiz and they don't do anything about it, they have only
>>>> themselves to blame, as uncomfortable and frighteningly empowering as
>>>> that may be. ;)
>>>>
>>>> -David
>>>>
>>>>
>>>>> Ray Barlow wrote:
>>>>>> As you say plenty of good points so rather than repeat lengthy
>>>>>> arguments
>>>>>> for or against I'll keep it simple and just say I don't think it
>>>>>> should
>>>>>> be described as a bug as it was implemented this way. Bad choice
>>>>>> maybe
>>>>>> but it's a feature change.
>>>>>>
>>>>>> Having said that I do think it should be seriously considered for the
>>>>>> release branch because of it's small footprint and improvement on a
>>>>>> very
>>>>>> weak and insecure area.
>>>>>>
>>>>>> Ray
>>>>>>
>>>>>>
>>>>>> Dan Shields wrote:
>>>>>>> Thanks Jacques.   Is there any further action by me that might be
>>>>>>> advised?   I was wondering because I was considering declaring a
>>>>>>> referendum on the issue on the user list as per David Jones'
>>>>>>> suggestion.
>>>>>>>
>>>>>>> Wow I guess that what we have here is "the absence of this new
>>>>>>> feature
>>>>>>> is a bug".
>>>>>>>
>>>>>>> I must say, the dev-debate that it has inspired has been impressive!
>>>>>>> There are good arguments both for viewing the patch as a bug, as
>>>>>>> well
>>>>>>> as equally good arguments for viewing it as a feature.  It really
>>>>>>> surprised me because up until that point in time (when I blindly
>>>>>>> stumbled into this) my view was entirely to think about it as a bug
>>>>>>> only.  The author of OFBIZ-1106 never knew the difference between
>>>>>>> 'code that failed to hide the password' and 'the complete absence of
>>>>>>> code that successfully hid the password', he just knew that the
>>>>>>> software did not do 'as it should', and this was exactly my point of
>>>>>>> view in devising a solution as well.  It requires a strong
>>>>>>> metaphysical argument to even tell the difference between the points
>>>>>>> of fact that might exist in the software that would reveal the
>>>>>>> actual
>>>>>>> intent of the original design.  My feeling is that it was either
>>>>>>> overlooked accidentally, or it was not convenient to declare the XUI
>>>>>>> XPage in a manner that made sense to have both regular input and
>>>>>>> password input in the same node of the tree but at different times
>>>>>>> (this convenience is what I provided in the patch).
>>>>>>>
>>>>>>> As I said above I am willing to take this to the user list and
>>>>>>> invite
>>>>>>> all users who run a release4.0 branch to submit an accept/reject
>>>>>>> vote,
>>>>>>> as I think this feature/bug (or bug/feature) is important enough to
>>>>>>> the success of release4.0 to warrant.
>>>>>>>
>>>>>>> I am happily sitting on the fence and content to let this issue go
>>>>>>> either way.  I am finding it fascinating.
>>>>>>>
>>>>>>> Cheers all
>>>>>>> Dan
>>>>>>>
>>>>>>>
>>>
>
>