Well, clearchris has a point. Is there a defined release date for 4.0?
It depends on the management's view of OFBiz 4.0. If it is considered alpha, go on ahead and
insert any amount of enhancements into it. But if it is considered beta, it would be good to be
strict about things, and pop in only bug fixes.
The question to ask is whether management intends for OFBiz 4.0 to be frozen or not. Is it
released/published already or not? If it is considered already published, I'd really like to see
further enhancements in OFBiz 4.1. From a psychological perspective, it's exciting to see OFBiz
4.1, rather than see OFBiz 4.0 improve tremendously "behind-the-scenes" over one long year.
Picture what I'd tell my clients: "Boss, I know OFBiz 4.0 was shaky 10 months ago, but the 4.0
then is a far cry from the 4.0 now!". It'd be easier saying: "Boss, we now have OFBiz 4.4. Here
are the list of improvements over 4.0.".
Then some folks may say that OFBiz 4.0 as it is now is unusable, that no one in right mind will
use 4.0 given the horrible security issue outstanding. What then? I say, we let 4.0 die. Time to
move on! 4.0 was published, management should stick to that decision. Roll out the next version!
Now on to technical considerations. SVN branches are "hotlinked", ie branching 4.1 from 4.0 only
creates a cheap reference to 4.0, not an entire copy of 4.0. Any changes to 4.1 will then take up
further harddisk space, so only deltas above 4.0 are stored on disk. There will still be only
*one* copy of the entire 4.0 code.
Now we question whether there'll be tons of confusion if we roll out a whole army of the 4.x
family. The crucial thing we *must* do is to make sure the 4.x family are fully compatible with
one another such that upgrading/downgrading along the family line requires zero migration effort.
Also, make sure that any bug fixes can be *uniformly* applied across the whole family. What that
also means is any enhancements that are too radical and that may break above requirement cannot be
put into the 4.x family.
So what's the point of having 4.0 and 4.1? Ease of bug-reporting! A non-techie person can say "I
found the bug in 4.0". So he didn't have time to upgrade to 4.1, or maybe 4.1 is an unlucky number
for him. Then the response we give him? "Sir, have you gotten the latest updates for 4.0"? He
either says "no" and he updates and retest, or he says "yes" and we hunt for the bug in that
*specific release version that is 4.0*! Or if we want to, we could say that "4.0 is dead, please
use 4.2".
In short, here's the plan. OFBiz 4.1 goes into alpha, and takes in all sorts of enhancements as
long as they don't break backward-compatibility with 4.0. OFBiz 4.0 continues beta, until such
time that it is super-bugfree. We'll have a series of 4.x members, with the earlier ones getting
more stable than the later ones (later ones take in risky new enhancements). How will that happen?
Anyone finding a bug in the latest 4.x member can also apply the similar bug fix to 4.0 (or 4.y
where y < x). The bug fixes cascade down to earlier 4.x members, making them more stable over
time, even as the community tests only the newest 4.x member.
Throughout the whole 4.x lineage, no extra harddisk space is taken up. SVN makes cheap "copies".
Only deltas are stored.
Is that clearly explained? Or did I just confuse version control with
cake-baking?
Jonathon
Jacques Le Roux wrote:
Finally, have we an idea about what to do :o)
Do we need a vote for this ?
Maybe a generalisation for "security" case as features to back port in any case ?
Create release4.0 (and later when they will come) branches as proposed by
Jonathon ?
Jacques
De : "clearchris" <[EMAIL PROTECTED]>
I had no idea the can of worms this would open up when I entered the issue.
I come down on the side of wanting this patch in the release branch.
Further, as there is no defined release date for 4.0, I would consider it
still open for very high-priority issues that are not traditionally defined
as "bugs". Ofbiz customers, if they are using the release branch in
production or close to production would probably do well to lag a bit and
run with an older revision of the release branch. Regressions can always be
an issue, even with bug "fixes".
Chris
-----Original Message-----
From: David E Jones [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 15, 2007 4:11 PM
To: dev@ofbiz.apache.org
Subject: Re: release4.0: OFBIZ-1106 (in or out?)
On Nov 15, 2007, at 11:18 AM, Michael Jensen wrote:
Using that logic, you could say that almost any previous bugs were
really "as-implemented" features and no changes should ever be made to
the current release branch.
If it was found somewhere in ofbiz that sensitive information was
submitted over http instead of https, would that be considered a bug?
Or would it be discounted as "well, it's a bad choice but that's how
it
was implemented"?
I understand that the difficult thing about this is that the bug/
feature
line has to be drawn somewhere. (I know where I'd draw it, especially
on security related issues.)
It's really not that tough... As I described in depth in my previous
post in this thread there is no need to muddy the meaning of "bug".
Maybe the word you are looking for is "issue"?
This isn't a "bug" per-se, but certainly an "issue" and solving that
issue requires a new feature. That doesn't mean it can't go into the
release branch, but non-bug-fixes should be carefully considered
before being added.
I'm curious to see how things pan out on this. It will tell me how
seriously security is taken by the people driving ofbiz.
This is a common misconception. There are no "people driving ofbiz".
OFBiz is a community-driven project and things happen when a user
needs something, implements it, and contributes it back to the
project. Even committers on OFBiz are just users who have a long
history of contributions and are invited to be committers to
facilitate further involvement.
Security or not, things will only be fixed if someone cares enough.
The flip side of that is that if someone doesn't like how something is
in OFBiz and they don't do anything about it, they have only
themselves to blame, as uncomfortable and frighteningly empowering as
that may be. ;)
-David
Ray Barlow wrote:
As you say plenty of good points so rather than repeat lengthy
arguments
for or against I'll keep it simple and just say I don't think it
should
be described as a bug as it was implemented this way. Bad choice
maybe
but it's a feature change.
Having said that I do think it should be seriously considered for the
release branch because of it's small footprint and improvement on a
very
weak and insecure area.
Ray
Dan Shields wrote:
Thanks Jacques. Is there any further action by me that might be
advised? I was wondering because I was considering declaring a
referendum on the issue on the user list as per David Jones'
suggestion.
Wow I guess that what we have here is "the absence of this new
feature
is a bug".
I must say, the dev-debate that it has inspired has been impressive!
There are good arguments both for viewing the patch as a bug, as
well
as equally good arguments for viewing it as a feature. It really
surprised me because up until that point in time (when I blindly
stumbled into this) my view was entirely to think about it as a bug
only. The author of OFBIZ-1106 never knew the difference between
'code that failed to hide the password' and 'the complete absence of
code that successfully hid the password', he just knew that the
software did not do 'as it should', and this was exactly my point of
view in devising a solution as well. It requires a strong
metaphysical argument to even tell the difference between the points
of fact that might exist in the software that would reveal the
actual
intent of the original design. My feeling is that it was either
overlooked accidentally, or it was not convenient to declare the XUI
XPage in a manner that made sense to have both regular input and
password input in the same node of the tree but at different times
(this convenience is what I provided in the patch).
As I said above I am willing to take this to the user list and
invite
all users who run a release4.0 branch to submit an accept/reject
vote,
as I think this feature/bug (or bug/feature) is important enough to
the success of release4.0 to warrant.
I am happily sitting on the fence and content to let this issue go
either way. I am finding it fascinating.
Cheers all
Dan
