I agree with Tim. It's a security related bug fix. Displaying passwords in plaintext on a screen is a bug. It is industry standard practice to not show passwords on the screen (either by replacing w/asterisks or not displaying characters at all.)
Mike Adrian Crum wrote: > Tim, > > From my perspective, it would be like finding a security breach in the > branch. Would we want to close the security breach? Of course! Are we > adding a new feature by doing so? I guess some people would consider a > closed security breach a "new feature" - but the people downloading and > deploying the branch would consider it a bug fix. > > -Adrian > > Tim Ruppert wrote: > >> I'm only against breaking the rules of the branch for this one >> feature enhancement. If the application doesn't work, then it's a >> fix though. So, I guess it goes back to whether or not this is a fix >> of a problem that was there or is it a feature enhancement? >> >> Cheers, >> Tim >> -- >> Tim Ruppert >> HotWax Media >> http://www.hotwaxmedia.com >> >> o:801.649.6594 >> f:801.649.6595 >> >> >> On Nov 14, 2007, at 10:59 AM, Scott Gray wrote: >> >>> I'm not agiainst it, +1 >>> >>> Scott >>> >>> On 15/11/2007, Vince M. Clark <[EMAIL PROTECTED]> wrote: >>> >>>> +1 >>>> >>>> Vince Clark >>>> Global Era >>>> The Freedom of Open Source >>>> [EMAIL PROTECTED] >>>> (303) 493-6723 >>>> >>>> ----- Original Message ----- >>>> From: "Adrian Crum" <[EMAIL PROTECTED]> >>>> To: dev@ofbiz.apache.org >>>> Sent: Wednesday, November 14, 2007 10:16:31 AM (GMT-0700) America/ >>>> Denver >>>> Subject: Re: release4.0: OFBIZ-1106 (in or out?) >>>> >>>> While technically it is not a bug fix, I believe it should go in >>>> anyway - since the release is >>>> intended to be widely deployed, and the problem your patch >>>> addresses might be a deal breaker for >>>> those who are considering deploying the release. >>>> >>>> +1 for including it. >>>> >>>> -Adrian >>>> >>>> Dan Shields wrote: >>>> >>>>> Thanks Jacques for helping get my patch for OFBIZ-1106 into OFBiz. >>>>> >>>>> Hello Devs, recently I participated with other developers to devise a >>>>> fix for OFBIZ-1106. The patch I submitted is now in HEAD but >>>>> UNsurprisingly it has been held back from release4.0 because the >>>>> acceptance criteria, I am told, accepts only bug fixes. >>>>> >>>>> Some would agree that release4.0 was unusable for POS for the fact >>>>> that it echos the manager's and the user's password to the screen for >>>>> all staff and customers to see. I don't know if any other developer >>>>> has tried to train non-computer people to use the POS application, >>>>> but >>>>> I have seen the genuine surprise on their faces when they saw their >>>>> own password appear on the screen as they typed. It should be >>>>> self-evident that this is undesirable behavior. My patch merely >>>>> replaces the characters on the screen with asterisks; it does so in a >>>>> manner that respects existing APIs employed by the OFBiz POS >>>>> application, it is well-tested, cleanly applies to HEAD and >>>>> release4.0, and has been tested by other ofbiz developers as well. >>>>> >>>>> It seems that there is some uncertainty over whether this is in >>>>> fact a >>>>> bug fix or not. I am merely asking for additional support in >>>>> deciding: >>>>> "For the purposes of release4.0, is my patch for OFBIZ-1106 a bug >>>>> fix?" >>>>> >>>> >> -- Millcreek Systems, Inc. P.O. Box 9835 Salt Lake City, Utah 84109 Phone: 801.649.4903 Skype: millcreeksys (http://millcreeksys.com/skype/)
