I must admit this is very disappointing, and not a very "community"
sort of thing I would expect from someone who is an advocate for a
"community". Instead, this is a very tyrannical approach to the whole
thing and very disrespectful. So far the two people who have not seen
this being a great improvement is you and then once you spoke up
Adrian followed.
So, the revert was warranted because only you saw fit to revert it.
Maybe I should start looking over your code and reverting things I
don't agree with. That would surely drive a this community in the
right direction <sarcasm>.
Let's look at the current tally:
Anil, Scott and I have voiced approval for this proposal.
You and Adrian have voiced disapproval.
How does 3:2 justify a automatic revert? I think what you have done
right here was very anti-community and EXTREMELY disrespectful to the
one person who has been working with you 8 years to bring this project
to where it is today. So, if your goal in reverting this was to piss
me off and ruin what little respect I have left for you, it worked.
I will personally revert the rest of the code over the next week.
Andrew
On May 3, 2009, at 2:12 AM, David E Jones wrote:
This seemed like as good a message to respond to as any... nice
thread though!
Since revisionist history seems popular in this thread here is my
own: One day I saw a Jira issue that pointed to some big documents
that were in someone's personal space on confluence, and pages I had
not seen referenced before. Unfortunately posting something to
confluence doesn't put it in front of very many eyes (ie only those
who watch the regular updates), more on that below. The next day I
saw some code going in, and then more and more. Being stuck
traveling at the time I didn't have time to review or comment, and
WHAM! there the code was and the ONLY to get any changes to it at
that point are to complain and fight like hell... being too tired
for that and too frustrated with that and various other things, I
just added my comments to a confluence page of my own, and this one
is in the open wiki and not in my personal space:
http://docs.ofbiz.org/display/OFBIZ/Notes+on+New+Security+Model
How many people saw it? Well, no matter, if you are interested
please take a look now.
My personal opinion on this is that the design has only subjective
improvements and most of it is a big step backwards (easier but less
flexible, for the services versus direct permission part anyway, and
we decided long ago that flexibility was better than ease in this
case; and yes there is a creative way to invoke code attached to
permissions, but that is a bit inflexible IMO since much permission
logic involved multiple permissions... it's the artifact we want the
code attached to not the permission itself), plus will cause
migration pain for those updating. I'm not against change and
progress... unless it is change only for the sake of change and
founded on someone's subjective opinion of what is better and easier.
I see no side-by-side comparisons or concrete improvements or even
presentation of non-subjective issues to resolve (ie "this is
prettier, and easier", that's subjective), just a bunch of stuff in
the documents that is (in my subjective view) just a bunch of BS
that could have been generated by a "business software BS
generator". To find some great examples of those, search on google
for "bs generator", some fun results include:
http://www.atrixnet.com/bs-generator.html
http://www.erikandanna.com/Humor/bullshit_generator.htm
It looks like what I was afraid of is EXACTLY what happened. Andrew
and various others seem simply not interested in feedback being
convinced of what they have presented and not wanted to admit any
appearance of fault, which appreciating and using feedback naturally
does. If you think that's harsh then bash me like you've bashed
Adrian. Don't worry... go for it! I happen to have a button with the
letters "delete" on it, and I've been using it more and more lately.
As for how to move forward? How about we allow development to go on
as desired, and we'll discuss and modify best practices over time. I
will revert the changes to the example component (in the spirit of
Commit-Then-Review that some are so fond of... well there's my
review and a commit to boot!). BTW, thanks Andrew for isolating
those in a single commit. For examples going forward whle this is
still up in the air, examples of use new artifacts can be added (ie
new service, screen, etc), or a patch can be kept on a jira issue
for those who want to try it out. Once we have decided on best
practices moving forward, then we can change the example component.
Not sure how people want to move forward, but for now I have
attached the patch here (note that this can also be produced with a
"svn diff -r 770083:r770408 > AuthzExampleComponentSupport.patch"
from the ofbiz/framework/exmaple directory):
https://issues.apache.org/jira/browse/OFBIZ-2383
For other components let's not be too hasty. I won't get into a
commit war over the example component, but for the rest I'll gladly
do so since I think these changes have a negative ROI and this whole
thing has turned into a big old chest-thumping mess. That being the
case, sorry for joining in and thumping my own chest.
Hopefully we can discuss some security objectives and common cases
we want to support, and then evaluate this new proposed approach
against them and/or establish a new approach based on this. There
definitely ARE areas where it is currently cumbersome to implement
specific security related requirements.
-David
On May 1, 2009, at 10:00 PM, Andrew Zeneski wrote:
In the past, what 8 years that I have been working on OFBiz, not
once have I had the masochistic urge to work on something which did
not already have some sort of design. Never will you fine me
wishing to refactor something without having the requirements
already known. So, you will never find me coming to the table empty
handed, and that is exactly what this sort of "request" is asking.
Nor, do I want to review and discuss with someone an idea until
they have their thoughts put together. So, what you can expect from
me now, in the past and in the future is exactly your first
statement. "Here is my design, what do you think..."
On May 1, 2009, at 10:56 PM, Adrian Crum wrote:
It's not the same! There is a big difference between "Here's my
design, what do you think?" and "I'm interested in refactoring the
security framework. Could you help me with the design?"
-Adrian
--- On Fri, 5/1/09, Scott Gray <scott.g...@hotwaxmedia.com> wrote:
From: Scott Gray <scott.g...@hotwaxmedia.com>
Subject: Re: Authz API Discussion (was re: svn commit: r770084)
To: dev@ofbiz.apache.org
Date: Friday, May 1, 2009, 7:49 PM
It's exactly the same in fact, we have a design proposed
by somebody
let's start discussing it. Tear pieces out, replace
some, improve
others, whatever at least we have a starting point.
Regards
Scott
On 2/05/2009, at 2:37 PM, Adrian Crum wrote:
How about we start over and collaborate on a design?
Is that so much
different?
-Adrian
--- On Fri, 5/1/09, Scott Gray
<scott.g...@hotwaxmedia.com> wrote:
From: Scott Gray
<scott.g...@hotwaxmedia.com>
Subject: Re: Authz API Discussion (was re: svn
commit: r770084)
To: dev@ofbiz.apache.org
Date: Friday, May 1, 2009, 7:30 PM
This discussion is going no where fast, how about
we back
track to Andrew's last email and start
actually
discussing the design. Nothing is being foisted
on anybody.
Regards
Scott
On 2/05/2009, at 2:19 PM, Adrian Crum wrote:
--- On Fri, 5/1/09, Anil Patel
<anil.pa...@hotwaxmedia.com> wrote:
This is one of the big reasons what I love
and
hate
community driven software. I don't see
how
what Andrew
did is bad. Even though it was personal
communication but I
know Andrew only started after Adrian and
Jacques
showed
interest by commenting on the page.
The only interest I showed was that I agreed
that
OFBiz security could use improvement, and I
suggested he use
a third party library. I did not endorse or
approve of his
design.
Andrew has been actively explaining his
idea all
this time.
As I demonstrated in another reply, no he did
not.
Only a few days went by between introducing the
idea and
committing code.
The work done till date is not blocking
anybody,
old
security system is still in place. New
system is
implemented
in example component so its lot easy for
him to
explain and
people to understand.
What if the new work is a bad design? How will
we know
that until everyone has had time to evaluate it?
People have different ways of working in
community, Joe is
committer still all the time he creates
Jira issue
and
uploads his patch and most of time its
somebody
else who
does commits, but that's his way of
working.
If we
don't do what Joe does then why should
Andrew
do what
Adrian does.
As far as I know, Joe submits patches for
things he
doesn't have commit rights to.
I don't see any reason why we should
start
over.
Do you see a reason why we shouldn't? Will
the
project suffer immensely if we pause and wait for
others to
comment? Is there some catastrophe looming that
requires us
to rush this through?
All
the time we talk about making things easy
so
people will
contribute, Why do you want to resist a
seasoned
contributer
for working. I'll rather have expect
community
will
support. All the time he has been asking
people to
tell him
suggestions, wish list etc. Why not
support him
and get more
out of him instead.
If we can't invite the community to
participate -
as I suggested - then that only proves what I
suspect - that
this is a design that is being foisted on the
community.
-Adrian
