Hi Daniel,
Now that with OFBIZ-13092 ecommerce is protected, at least so far. And as it's
the most important plugin, we could indeed put it in the framework
That would also definitely resolve OFBIZ-9185.
Example (and exampleext) would be good to be put in too, maybe projectmgr and
myportal. I'm also looking at birt with OFBIZ-5744
We should start a new thread about that and discuss about which plugins to
integrate and what to release.
Jacques
Le 20/05/2024 à 11:12, Daniel Watford a écrit :
Hi Jacques,
I raised the topic of merging the plugins into ofbiz-framework a while ago,
mostly due to the difficulty I found matching branches between the
ofbiz-framework and ofbiz-plugins repositories and keeping the two in sync.
I don't think we went in depth on the topic, but I think the general
preference of the dev mailing list was to keep the two repositories
separate.
However, given your points about 'fragile' plugins, perhaps we could
consider moving those plugins we feel are robust and well used into
ofbiz-framework and leave those fragile plugins in the ofbiz-plugins
repository?
I know that I am banging the same old drum again with the above
suggestion(!) but I really do feel we will be able to better maintain those
favoured plugins more easily if they are kept alongside the core
ofbiz-framework code. The additional benefit is that it will be easier to
release those plugins we are more confident of if they are already in the
ofbiz-framework repository. Perhaps we would then mark those plugins as
disabled by default.
As far as 'framework only' distributions, I think this should be the
default approach we point users of ofbiz to. Interested users can then seek
out the plugins that meet their needs and install them by either retrieving
the relevant plugin files or running the appropriate gradle task. We
already have framework-only versions of the docker images that we publish.
Thanks,
Dan.
On Mon, 20 May 2024 at 08:08, Jacques Le Roux <jacques.le.r...@les7arts.com>
wrote:
Hi,
This thread is already a 7 month "discussion", actually a vote. But I
don't remember another about this point (not releasing the plugins). So I
reuse
it, with a security perspective.
The last CVEs we had are possible because of ecommerce. A bunch of others
were related to Solr, etc.
I believe we would have much secure OFBiz releases if indeed we did not
include the more fragile plugins.
On the other hand when we fix these plugins vulnerabilities we also secure
their usage by our users.
But for ecommerce the problem is you can create an user without being
signed on. Because it's about open ecommerce. We can't seriously change
that,
can we?
Also I wonder how much people are using all the plugins. For some of them
I guess not much.
So what do you thing about Jacopo's proposition?
Jacques
Le 02/11/2023 à 11:18, Jacopo Cappellato a écrit :
Yes, the plugins are included in all the releases of 18.12; for newer
release branches we can definitely revisit this decision (in fact I
think it would be nice to have framework only distributions).
