I'd prefer not to dilute the meaning of "bug". A bug is an existing feature that doesn't work as it was intended when written.
Passwords in plain text would be a security issue, but since the fix for that issue is most likely a new feature rather than fixing an existing feature (I haven't looked at the code so I don't know if there is broken code that should do this, but it doesn't sound like it), then it is a new feature and not a bug.
So, the question that started this thread is the most relevant: because it is a big concern, should we add this to the branch even though it is a new feature and not a bug fix?
My opinion on that is let the users of the branch decide... I'm not really in a good position to express an opinion because I make a regular practice of pushing clients away from the branch and to the trunk so that new work we do for them (new stuff being most of what we do as a company) can be done in participation with the project.
We could do a formal vote where only PMC votes are binding, but it might be more valuable to just get feedback from branch users and make a decision. Purely an administrative comment that.
-David On Nov 14, 2007, at 11:22 AM, Michael Jensen wrote:
I agree with Tim. It's a security related bug fix. Displaying passwords in plaintext on a screen is a bug. It is industry standard practice to not show passwords on the screen (either by replacing w/asterisks or not displaying characters at all.) Mike Adrian Crum wrote:Tim,From my perspective, it would be like finding a security breach in thebranch. Would we want to close the security breach? Of course! Are weadding a new feature by doing so? I guess some people would consider a closed security breach a "new feature" - but the people downloading anddeploying the branch would consider it a bug fix. -Adrian Tim Ruppert wrote:I'm only against breaking the rules of the branch for this one feature enhancement. If the application doesn't work, then it's afix though. So, I guess it goes back to whether or not this is a fixof a problem that was there or is it a feature enhancement? Cheers, Tim -- Tim Ruppert HotWax Media http://www.hotwaxmedia.com o:801.649.6594 f:801.649.6595 On Nov 14, 2007, at 10:59 AM, Scott Gray wrote:I'm not agiainst it, +1 Scott On 15/11/2007, Vince M. Clark <[EMAIL PROTECTED]> wrote:+1 Vince Clark Global Era The Freedom of Open Source [EMAIL PROTECTED] (303) 493-6723 ----- Original Message ----- From: "Adrian Crum" <[EMAIL PROTECTED]> To: dev@ofbiz.apache.org Sent: Wednesday, November 14, 2007 10:16:31 AM (GMT-0700) America/ Denver Subject: Re: release4.0: OFBIZ-1106 (in or out?) While technically it is not a bug fix, I believe it should go in anyway - since the release is intended to be widely deployed, and the problem your patch addresses might be a deal breaker for those who are considering deploying the release. +1 for including it. -Adrian Dan Shields wrote:Thanks Jacques for helping get my patch for OFBIZ-1106 into OFBiz.Hello Devs, recently I participated with other developers to devise afix for OFBIZ-1106. The patch I submitted is now in HEAD but UNsurprisingly it has been held back from release4.0 because the acceptance criteria, I am told, accepts only bug fixes.Some would agree that release4.0 was unusable for POS for the fact that it echos the manager's and the user's password to the screen for all staff and customers to see. I don't know if any other developer has tried to train non-computer people to use the POS application,butI have seen the genuine surprise on their faces when they saw theirown password appear on the screen as they typed. It should be self-evident that this is undesirable behavior. My patch merelyreplaces the characters on the screen with asterisks; it does so in amanner that respects existing APIs employed by the OFBiz POS application, it is well-tested, cleanly applies to HEAD andrelease4.0, and has been tested by other ofbiz developers as well.It seems that there is some uncertainty over whether this is in fact a bug fix or not. I am merely asking for additional support in deciding: "For the purposes of release4.0, is my patch for OFBIZ-1106 a bug fix?"-- Millcreek Systems, Inc. P.O. Box 9835 Salt Lake City, Utah 84109 Phone: 801.649.4903 Skype: millcreeksys (http://millcreeksys.com/skype/)
smime.p7s
Description: S/MIME cryptographic signature