Community mailing list archives

Re: Odoo: #SecureERP Odoo crowdfund update

by Anders Wallenquist <> - 09/17/2015 11:41:13
Den 2015-09-17 kl. 15:44, skrev Ondrej Kuznik:
> > If the community for Odoo forms a security team, I think the way of
> > working should be more of monitoring and advising than be a mandatory
> > step in the publishing process.
> If you talk about the publishing process for the "app store", that is
> entirely under the control of Odoo S.A. and I doubt they will let anyone
> in, especially since reviewing any proprietary modules would require an
> NDA. Also consider that very few would be willing to sign an NDA like
> this just to offer a non-paid help to a proprietary competitor.

I don't think a community security team should be reviewing modules 
before publishing, with monitoring I meant a parallel process. If the 
security team finds vulnerabilities in a core module/framwork or other 
there are possibilities to post a patch through github (or private mail 
to the author).

> >
> > I would gladly join a security team if there where any.
> I have been pondering setting up an secure mailing list dedicated for
> such a community, if we find enough people dedicated to the cause, I
> will. I take this you would be interested in this.

Yes please.