Re: Groovy Migration : createRequirementFromItemATP

2020-03-06 Thread Pierre Smits 
Hi Gil,

If that other function ( createATPRequirementsForOrder service) has been in
play since 2007, we can, i would say safely, assume that the
createRequirementFromItemATP function/service can be removed from the
codebase immediately and port its removal to the 18.11 branch. No need to
slate it deprecated and leave it in and forgotten.


Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz  since
2008 (without privileges)

*Apache Trafodion , Vice President*
*Apache Directory , PMC Member*
Apache Incubator , committer
Apache Steve , committer


On Fri, Mar 6, 2020 at 6:04 PM Gil Portenseigne 
wrote:

> Hello !
>
> While migrating createRequirementFromItemATP, i stumbled upon a comment
> from David Jones :
> > NOTE DEJ20090902: this service is not called
> > anywhere, instead the createATPRequirementsForOrder service (written in
> > Java) is called; why this is the case I don't know... -->
>
> I investigate a bit and find out the commit
>
> https://github.com/apache/ofbiz-framework/commit/edc1c0398f77157f590ad99d52e90fc29e251190
> That seems to refactor the service.
>
> As createRequirementFromItemATP minilang service seems not used in
> project (outside one integration test), should we not deprecated it in
> next release (18.12) and remove it in trunk ?
>
> WDYT ?
>
> Regards,
>
> Gil
>

Re: OFBIZ-11415: Backport request - Using FlexibleStringExpander in form widget field's parameter names

2020-03-06 Thread Jacques Le Roux 

Hi Daniel, All,

At https://markmail.org/message/ahu6kz7dihcyp45z you asked

   "How do committers decide which features to backport to 18.12?"

I (roughly) answered

    "The rule is normally we only backport bug fixes, obviously to avoid regression.  But if nobody disagree for simple new features or improvements 
sometimes we backport"


I have decided I'll backport after the weekend OFBIZ-11415 & OFBIZ-11418 in at 
least R18 if nobody is against

As I said already, I'm also considering the related OFBIZ-4035 and will work on 
it next week, if nobody beats me on it...

Jacques

Le 25/02/2020 à 15:04, Daniel Watford a écrit :

Hello,

I've created  https://issues.apache.org/jira/browse/OFBIZ-11415 as a
request to backport functionality introduced to trunk by
https://issues.apache.org/jira/browse/OFBIZ-11330.

PR created: https://github.com/apache/ofbiz-framework/pull/31

Thanks,

Dan.

Groovy Migration : createRequirementFromItemATP

2020-03-06 Thread Gil Portenseigne 
Hello !

While migrating createRequirementFromItemATP, i stumbled upon a comment
from David Jones : 
> NOTE DEJ20090902: this service is not called
> anywhere, instead the createATPRequirementsForOrder service (written in
> Java) is called; why this is the case I don't know... -->

I investigate a bit and find out the commit
https://github.com/apache/ofbiz-framework/commit/edc1c0398f77157f590ad99d52e90fc29e251190
That seems to refactor the service.

As createRequirementFromItemATP minilang service seems not used in
project (outside one integration test), should we not deprecated it in
next release (18.12) and remove it in trunk ?

WDYT ?

Regards,

Gil


signature.asc
Description: PGP signature

Re: buildbot failure in on ofbizTrunkFramework

2020-03-06 Thread Gil Portenseigne 
I introduced a test error with my new test, i'll look into it.

Gil

On Fri, Mar 06, 2020 at 03:48:10PM +, build...@apache.org wrote:
> The Buildbot has detected a new failure on builder ofbizTrunkFramework while 
> building ofbiz-framework. Full details are available at:
> https://ci.apache.org/builders/ofbizTrunkFramework/builds/1311
> 
> Buildbot URL: https://ci.apache.org/
> 
> Buildslave for this Build: asf947_ubuntu
> 
> Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' 
> triggered this build
> Build Source Stamp: [branch trunk] 53a8b812607f9987a1063f18062a5318cafe444c
> Blamelist: Gil Portenseigne 
> 
> BUILD FAILED: failed shell_2
> 
> Sincerely,
>  -The Buildbot
> 
> 
> 


signature.asc
Description: PGP signature

Re: Demo instance for OFBiz 17.12 release and remove 13.07 demo

2020-03-06 Thread Pierre Smits 
We could also decide to reduce the burden (on INRA - cost wise, and on
contributors - maintenance wise ) to only have 1 demo implementation. That
against latest release.

With current enhancement under
https://github.com/apache/ofbiz-framework/pull/43 (potential) adopters can
evaluate and/or test the latest in trunk easily in a contained environment.
And the same goes for developers/contributors.

As for 'Previous Stable Release', without any data we can't tell whether
this serves and desire or need. So, should we keep it?

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz  since
2008 (without privileges)

On Fri, Mar 6, 2020 at 10:35 AM Swapnil M Mane 
wrote:

> Hello team,
> Current we have three demo instances [1] for OFBiz.
>
> -- Current Stable Release 16.11 - Demo
> https://demo-stable.ofbiz.apache.org/ordermgr/control/main
>
> -- Developer Trunk - Demo
> https://demo-trunk.ofbiz.apache.org/ordermgr/control/main
>
> -- Previous Stable Release 13.07 - Demo
> https://demo-old.ofbiz.apache.org/ordermgr/control/main
>
> As we have our new OFBiz release 17.12, should we think of taking the
> following actions:
>
> 1. The 'Current Stable Release' instance should have release 17.12
> i.e. demo-stable.ofbiz.apache.org should deploy on release 17.12
>
> 2. The 'Previous Stable Release' instance should have release 16.11
> i.e. demo-old.ofbiz.apache.org should deploy on 16.11
>
> After this migration, we will *no longer have 13.07 - Demo* instance.
>
> Here are some more details about the 13.07 demo instance.
> The 13.07 instance gets down abruptly very frequently.
> After this, it requires manual interaction to restart, in recent times
> Jacques and I manually restarted it many times.
> Looking at the current scenarios, it seems our users are also not
> using 13.07 demo instance on a frequent basis, because no one from our
> users reports us when it is down ;-)
>
> [1] https://ofbiz.apache.org/ofbiz-demos.html
>
> Best regards,
> Swapnil M Mane,
> ofbiz.apache.org
>

Demo instance for OFBiz 17.12 release and remove 13.07 demo

2020-03-06 Thread Swapnil M Mane 
Hello team,
Current we have three demo instances [1] for OFBiz.

-- Current Stable Release 16.11 - Demo
https://demo-stable.ofbiz.apache.org/ordermgr/control/main

-- Developer Trunk - Demo
https://demo-trunk.ofbiz.apache.org/ordermgr/control/main

-- Previous Stable Release 13.07 - Demo
https://demo-old.ofbiz.apache.org/ordermgr/control/main

As we have our new OFBiz release 17.12, should we think of taking the
following actions:

1. The 'Current Stable Release' instance should have release 17.12
i.e. demo-stable.ofbiz.apache.org should deploy on release 17.12

2. The 'Previous Stable Release' instance should have release 16.11
i.e. demo-old.ofbiz.apache.org should deploy on 16.11

After this migration, we will *no longer have 13.07 - Demo* instance.

Here are some more details about the 13.07 demo instance.
The 13.07 instance gets down abruptly very frequently.
After this, it requires manual interaction to restart, in recent times
Jacques and I manually restarted it many times.
Looking at the current scenarios, it seems our users are also not
using 13.07 demo instance on a frequent basis, because no one from our
users reports us when it is down ;-)

[1] https://ofbiz.apache.org/ofbiz-demos.html

Best regards,
Swapnil M Mane,
ofbiz.apache.org

Re: OFBiz releases are failing verification checks

2020-03-06 Thread Pierre Smits 
Furthermore,

With recent https://github.com/apache/ofbiz-framework/pull/43 we don't need
to deliver a convenience package containing both the base and the
extensions anymore.

This will enable (potential) adopters to evaluate/testdrive a fully
operational OFBiz implementation in a contained environment (docker
container).

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz  since
2008 (without privileges)

[CVE-2020-1943] Apache OFBiz XSS Vulnerability

2020-03-06 Thread Jacopo Cappellato 
Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.07

Description:
Data sent with "contentId" to "/control/stream" is not sanitized, allowing
XSS attacks.

Mitigation:
Upgrade to 17.12.01 or manually apply the commits at OFBIZ-10753


Credit:
Timon Funck 

References:
http://ofbiz.apache.org/download.html#vulnerabilities

[ANNOUNCE] Apache OFBiz 17.12.01 release

2020-03-06 Thread Jacopo Cappellato 
The Apache OFBiz community is pleased to announce the new release "Apache
OFBiz 17.12.01".

Apache OFBiz® is an open source product for the automation of enterprise
processes that includes framework components and business applications.

http://ofbiz.apache.org/

"Apache OFBiz 17.12.01" is the latest release of OFBiz and is the first of
the 17.12 series that supersedes the 16.11 release branch; for more details
of the changes introduced with this new version please refer to
http://ofbiz.apache.org/release-notes-17.12.01.html

The release file can be downloaded following the instructions in the OFBiz
download page:

http://ofbiz.apache.org/download.html

The OFBiz community.

Re: OFBiz releases are failing verification checks

2020-03-06 Thread Pierre Smits 
IMO, despite all the encouragements by the ASF and the project, people do
what they like. And some even may not want to have all plugins included.

Given that the project already voted favourably on the first convenience
package of the 17.12 branch (which incorporates, and is based on, the
releases in the two repos), it seems to me that you can go ahead by
creating the .asc and .sha512 files for each of the releases in the repos
and upload those together with those repo releases into
http://downloads.apache.org/ofbiz.

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz  since
2008 (without privileges)

*Apache Trafodion , Vice President*
*Apache Directory , PMC Member*
Apache Incubator , committer
Apache Steve , committer


On Thu, Mar 5, 2020 at 7:57 AM Jacopo Cappellato <
jacopo.cappell...@gmail.com> wrote:

> On Wed, Mar 4, 2020 at 4:12 PM Pierre Smits 
> wrote:
>
> > [...]
>
> Recently the releases became available via the official repositories on
> > Github:
> >
> >- https://github.com/apache/ofbiz-framework/releases
> >- https://github.com/apache/ofbiz-plugins/releases
> >
> > I tried to verify these with the function available in the ofbiz-tools
> rep,
> > like:
> >
> > ../dev/asf/ofbiz/ofbiz-tools/verify-ofbiz-release.sh
> > ofbiz-framework-release17.12.01.zip
> > [...]
>
>
> Some additional details about the verification process from ASF ([*]):
> "You are encouraged to download the releases from our mirrors. Signatures
> and checksums are only available from the official Apache Software
> Foundation site.
> Our download pages point you to the mirrors for releases and to the
> official site for signatures and checksums."
>
> [*] https://www.apache.org/info/verification.html
>
> Jacopo
>