Community mailing list archives

community@mail.odoo.com

Re: Security - Odoo enterprise - DB access

by
Andi Becker
- 04/18/2016 21:07:07

On Sat, Apr 16, 2016 at 11:10 PM, Fabien Pinckaers <fp@odoo.com> wrote:
we send them an email, along with a patch a few weeks before we disclosed the security breach publicly.

Hi Fabien

Why do you keep security issues for weeks hidden from the public? I think it is not a good way to increase public trust in customers when you leave Odoo websites open for serious security issues even you have already a patch available.

To increase TRUST in Odoo it would be much much better to provide the patch asap for everyone and of course publish the security issue immediately after it has been discovered, so that ALL users are warned, especially also those who are using not the Enterprise version.

Even much better would be to publish and report security issues of Odoo also to secunia who is providing a great database with security advisories for everyone for free. 

Security especially of an ERP system which holds hundreds, thousands perhaps even millions of customers data and their customers data should be FIRST priority and treated as this. If Odoo and its community and Team which provides the software is such a great and fast working and patching team than they really can present their fast way of patching things also publicly. Right now it looks more like the typical Microsoft way, which means that security issues get not announced publicly for weeks, months perhaps even years until a patch is available and as you wrote even than the public gets excluded for weeks from that patch which is horrible in terms of security for an enterprise and Open Source ERP System like Odoo / OpenERP is. 

A last question: How many issues have not been announced until now as your team wasn't able to provide a patch until now? Is Odoo Safe or Vulnerable?

Please disclose ALL security issuses of Odoo asap so that all in the community could help to get things patched and secure again. Thanks

Andi


With kind regards,
Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

 ANDI BECKER

CEO/General Manager LisAndi Co., Ltd.

--------------------------------------------------

LisAndi Co. Ltd., Phuket, Thailand (lisandi.com)
15/21 M.2 Viset Road, Rawai, Muang, Phuket, Thailand 83130

Mobile: +66 (0)81 606 3378
VoIP:   +49 (0)711 50 88788 50
Fax:     +49 (0)711 50 88788 50
Skype:          lisandi
Facebook:     andibecker
Google Talk/Facetime/eMail:  andi@lisandi.com

--------------------------------------------------