From: "Adam Heath" <doo...@brainfood.com>
I've added 2 major(ish) new features recently.
* salt-based password hashing(with base64 encoding)
* key-encrypting-key(kek) support.
The salt-based psasword feature was written when JIRA was hacked
several years ago; JIRA is based on an old version of OfBiz, so this
change could be considered a bug fix.
I guess you will document the backports in and then close
https://issues.apache.org/jira/browse/OFBIZ-1151
https://issues.apache.org/jira/browse/OFBIZ-3006
For Jira: I guess Atlassian has already taken all the needed precautions
kek support is a new feature, however, so generally that wouldn't be
backported. However, I feel strong enough about the
coolness/usefulness factor for this feature that I feel it really
*does* need to be backported.
I'm for it, the more secure OFBiz is the better! Now I think it's not only to
both of us to decide about such a thing, opinions?
For user it would be great to also create a Jira, instantly closed (sub-task of
https://issues.apache.org/jira/browse/OFBIZ-1525)
So, I guess I'm asking for verification: Which of these features
should really be backported, and to which target branches?
We decided to no longer backport to releases under 10 (too much conflicts) so would be 10, 11 & 12 releases branches. You could do
an exception for R09.04 if you feel it's OK.
My 2cts
Jacques
ps: kek support *requires* the new hashing changes.
pps: I've already backported both of these to our internal 902021
branch(which is pre-10.04); so it would be possible for me to even go
back that far.
