I step back to this because I believe this is a good point. Andy: I did not become aware of your new security till last thur. I have been wrapped up in other projects and have not paid much attention to the dev list. my apologies. so to me this has not been sitting in front of me for long. Plus you have been very involved with this so it seems a no brainier. I on the other hand have to first get my head around your concept. then compare against the old way. That takes me at least a week or more with everything else that is going on in my life. I do believe in code review, seeing the weaknesses an strengths of both systems. However that take a lot to cover this big a system. So in my view, have a target of three months before implementing with review as active as it is now would be what I consider normal.
My reason of not speaking up till now, I am still working this through in my mind.\ I actually had some question that I wanted clarified. Till I saw the discussion had turned in a none review vane. I will post those under a separate email. as a humorous side note you massive patch and the the revert got rejected by my mail server which is set to reject in file 40K or more. Andrew Zeneski sent the following on 5/1/2009 6:30 PM: > I think everyone needs to step back just a bit. Yes, some code was > written, but nothing that drastically changes anything. Actually, I paid > very close attention to make sure that this could sit on the side lines > so it could be evaluated. Very little effort has been put into the real > work of migrating the applications, but that is going to change soon... > > So, instead of discussing what should or should not have been done, look > at the fact that this entire effort is sitting in the community's lap > right this minute. But instead of reviewing what is there, pointing out > weaknesses offering suggestions or anything constructive at all, the > discussion is solely around whether or not code should have been > implemented or not. Let's face it, these documents have been in front of > you for over a week, and there was not a single objection or concern > raised until today. I have only a limited amount of free time, and if I > am going to following this effort through to the end, it needs to have a > steady progression. So to be frank, get over it. > > Code is being worked on actively for this effort, and I am expecting > more involvement as soon as the API is finalized. That said, if you do > have something to add, wish to see or just want to be involved, now is > the time to be proactive! Otherwise the effort will push forward with > the people who are indeed interested in improving security in OFBiz. > > Andrew > > > > On May 1, 2009, at 8:38 PM, Adrian Crum wrote: > >> >> --- On Fri, 5/1/09, Scott Gray <[email protected]> wrote: >>> Some of these questions in the discussions so far give me >>> the feeling that the write up Andrew put in confluence >>> hasn't been read, is that the case? >>> >>> Anyway I'm a +1 for the new auth framework, I think it >>> give us more power AND simplicity. Will it need improvement >>> over time? of course it will but I think it's a much >>> better base to work from. >> >> I don't know if you were around at the time, but I was. One of the >> "weaknesses" Andrew is trying to fix with this latest effort is the >> permissions services - another design he introduced a couple years >> ago. Everyone went along with it and re-wrote code to use service >> permissions. (I spent several weekends just converting the accounting >> component over to the new security implementation). Now we're being >> told "Oops, that design is limited, let me try again." >> >> Why would anyone have any objection to opening this up to the >> community before we start writing code? Maybe there are others who see >> weaknesses in the new design. Give them a chance to offer input. >> >> -Adrian >> >> >> >> > > -- BJ Freeman http://www.businessesnetwork.com/automation http://bjfreeman.elance.com http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro Systems Integrator.
