Thank you Andrew. I appreciate this. It helps smooth things out, but
don't feel like you have to apologize for my sake. This sort of
interaction (both from me to you and back) seems to be a common thing
in these discussions. We all care about the things we work on
including specific things we design or create and things we use on a
regular basis, so it seems like over the years these things happen a
lot. The conversation carries on regardless and eventually we all
settle down and discuss things at least somewhat rationally... it's
just a matter of not giving up and I really appreciate that you have
not given up on this security topic.
It's wonderful that OFBiz is so big these days and has so many people
actively involved. It is a log different from the early days when
writing and committing stuff was exactly what was done... usually
because nothing existed before or no one else was working on or
interested in working on a specific area. Also, if we changed
something that required a migration it didn't cause too much pain
because there weren't too many people using the stuff (and there
weren't many other users trying to keep up with the project, now there
are a lot).
Unfortunately this means that changes are much more carefully
monitored and have a much bigger impact so a lot more discussion is
required and things are a LOT more complicated. Personally I've given
up on the idea that I am even capable of designing and implementing
major changes by myself. I know that a certain level of research and
planning is necessary to be able to even present ideas, and
fortunately often other people do that too, and after I get involved
in those things I've been impressed by how much the collaboration
helps result in a cleaner and more effective solution. The security
stuff I did earlier this year was a great example, and that was all
started by someone (Michele) who had much more experience than me, and
then after researching and presenting possible solutions for OFBiz I
also got good feedback and was able to implement better things. I've
also been VERY fortunate in having other people participate in
implementation based on these efforts, which has seen the efforts
through with a LOT less of my own time required.
I guess in other words, overall I like it and it's great to have so
many good people involved. On that note, it's great that you're
getting much more involved again and that you're pushing all of us to
improve this messy part of OFBiz, ie the access control aspect of
security.
-David
On May 5, 2009, at 5:24 PM, Andrew Zeneski wrote:
David,
I would like to publicly apologize for my behavior this past
weekend. While I do not believe you (or anyone else) has the right
to revert any commit which does not directly effect the build or
ability to run the trunk without first discussing with the author
and giving them a chance to correct/revert the changes themselves; I
also do not believe I should have responded to you the way I did.
For that I wish to offer you my sincerest apology.
I do not believe your actions were a direct attack on me personally,
I responded abruptly in the heat of the moment. Having worked
together on OFBiz for the last 8 years we both should have been able
to rectify any differences without offending one another. Again, I
apologize or not acting appropriately.
Andrew
On May 3, 2009, at 4:00 PM, Andrew Zeneski wrote:
Inline...
Please don't revert the rest of the code. The point is that this
needs time to mature, so it should stay in there but not become
the default... not YET anyway.
I will leave the what was implemented alone for the time being.
Also, please don't be personally offended by this. Just because
there are comments and feedback doesn't mean something has no
merit, it just means that some adjustments to it might be able to
improve it. That's what collaboration is all about, and I guess if
you'd rather not do it than have other people comments on it and
make changes to it then collaboration will be difficult.
I am not offended by any comments or feedback, I was only offended
by your actions. Reverting the example was nothing more than a
power move by you. You can argue this if you wish, but the fact is
nothing else except for an example was effected, and there has been
no discussion by anyone to revert anything yet. If you did feel
that it was problematic, it should have been brought up if not to
the community then at least to me personally.
Just to clear that up... are you saying you would rather not do
any of this than make some changes and refinements to it based on
feedback? I hope that's not the case. My intent with this, as I
explained in my email, is to make a compromise and allow
development and improvement on this to continue without impact on
other parts of the project until it is more ready for that.
Your assumptions (as assumptions often are) completely wrong. Even
though say now you hope this isn't the case, you have publicly
accused me of this in your Notes On Security Changes document. What
have I been doing for the past week? It surely wasn't moving ahead
and checking in changes to all the applications to use a new
authorization pattern. What I have been doing is acquiring
additional needs/requirements comparing them to what I have planned
and trying to discuss with the community these changes. Refining
the API and including the requirements which I have gathered.
You keep claiming that this new pattern is less flexible. While
that may (but I don't agree) be true to a certain extent, is it
also far MORE flexible when it comes to creating custom
implementations for vertical, custom or customized applications.
Andrew
