Community mailing list archives
Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!by
On Thu, Nov 12, 2015 at 12:17 AM, Dominique Chabord <firstname.lastname@example.org> wrote:
Also check a no-phone-home module which disables hidden data transmissions to Odoo. As a general rule, Odoo considers up-selling to your customers is their right, as it was explained at Odoo experience days. If you are an official reseller, there is little you can do about it, iiuc. regards
Thanks Dominique for that explanation. Where can we find a no phone home module - could you recommend one.
Thanks also to Fabien for the explanation, but I disagree with that it is good practice.
Good practice would be to ask the customers first if they want to have their data send to Facebook (similar to opt in /out or cookie bar features). I think we should submit that feature for review to the German Datenschutz Beauftragten as probably many companies running Odoo might be affected by that and not even know about it. At least there should be an opt in opt out option as said already. When you click that button to reset your password there is no message and nothing, not even the URL of that link which points out that the data gets transferred and the customer gets linked to odoo.com (by default).
The question is in general when is the time data gets send to odoo.if a customer presses the button which does not state that it directs to odoo.
In Europe they have very strict privacy laws and even putting something like Facebook, Google stuff or even any analytics code can cause you problems legally if you don't inform the user about it. So I would suggest that the default gets changed to be an opt in opt out solution where people get asked and that the button clearly stated that the requests gets send to odoo.com where the customer usually don't has an account when he is new!
As a company building a site you might get in serious problems if the customer and its users are not aware about it!
@ all those +1 Trolls in that Threat here:
It is very sad to see so many people clicking +1 instead of start taking responsibility for their customers like Dominnique and also Luke does. And they can even provide solutions to solve this problem. Companies who worry about privacy and legal laws should better avoid letting their stuff build those +1 Trolls in that Thread. Who knows what else get inserted without the customers and its users knowledge.
Sorry! But after reading what Dominique wrote, I understand this behaviour, you are perhaps offical resellers.
Dominique brought up two very interesting points:
As a general rule, Odoo considers up-selling to your customers is their right, as it was explained at Odoo experience days.
Is it indeed like this Fabien? You are collecting data to be able to up-sell to the customers of those who use ODOO on any side build with Odoo?
This would mean that also much more data gets collected. Perhaps you could explain in short where and what data gets transferred to Odoo to be able to up-sell to customers and probably even those listed in their contact databases? Thanks
If you are an official reseller, there is little you can do about it.
This sound for me like a "Maulkorb Erlass" we say in Germany. So even you know that things are wrong and not like they should be you are not allowed to talk about. Is it this what you mean and is this the purpose of the ODOO Reseller Program - to keep people quite and no talking?
This is very totalitarian thinking and absolutely not in the sense of "LIBRE" or openminded. So as a reseller you are giving up your freedom?
A solution would actually be quite easy to accomplish.
Set up another branch and name it "the no phone back and debranded branch" and instead insert a header text into the sourcecode like TYPO3 does it which states that it is ODOO and that it is released under a GPL license incl no warranty etc. There is really no need to display odoo everywhere and IMHO it is a serious risk for all companies using Odoo in the current form if it can't get be brought to a no phone back version.
I am pretty sure that this branch would be soon the main community branch where people will contribute.
Beside this I would recommend for the OCA that they make it mandatory that a module listed there has to be released under an AGPL v.3 or GPL v.3 and not under an LGPLv.3 license. Only this way you could really ensure that Odoo stays FLOSS and perhaps also a debranded no phone back branch could be listed there too.
Fabien I asked already in another thread but until ow did get no clear answer. Does customers have to calculate with more License changes and that modules get released in their new versions under a perhaps partly proprietary license to get the full features or will it stay LGPL or even better goes back to AGPL. As you pointed out the MRP gets a complete overhaul! It would be great to make this clear as also an effort is there to enhance the AGPLv.3 MRP Module.
Thanks a lot