Community mailing list archives
Re: Security - Odoo enterprise - DB accessby
I think Odoo Official treats the security in a right way. 1st of all the patch is provided to the enterprise users and the security breach details will be published later. To publish a security breach without a remedy would encourage the hackers to use the bug in the system and harm the true users.
Oliver------------------ Original ------------------From: "Andreas Becker"<email@example.com>;Date: Tue, Apr 19, 2016 09:11 AMTo: "Community"<firstname.lastname@example.org>;Subject: Re: Security - Odoo enterprise - DB accessOn Sat, Apr 16, 2016 at 11:10 PM, Fabien Pinckaers <email@example.com> wrote:we send them an email, along with a patch a few weeks before we disclosed the security breach publicly.
Hi FabienWhy do you keep security issues for weeks hidden from the public? I think it is not a good way to increase public trust in customers when you leave Odoo websites open for serious security issues even you have already a patch available.To increase TRUST in Odoo it would be much much better to provide the patch asap for everyone and of course publish the security issue immediately after it has been discovered, so that ALL users are warned, especially also those who are using not the Enterprise version.Even much better would be to publish and report security issues of Odoo also to secunia who is providing a great database with security advisories for everyone for free.Security especially of an ERP system which holds hundreds, thousands perhaps even millions of customers data and their customers data should be FIRST priority and treated as this. If Odoo and its community and Team which provides the software is such a great and fast working and patching team than they really can present their fast way of patching things also publicly. Right now it looks more like the typical Microsoft way, which means that security issues get not announced publicly for weeks, months perhaps even years until a patch is available and as you wrote even than the public gets excluded for weeks from that patch which is horrible in terms of security for an enterprise and Open Source ERP System like Odoo / OpenERP is.A last question: How many issues have not been announced until now as your team wasn't able to provide a patch until now? Is Odoo Safe or Vulnerable?Please disclose ALL security issuses of Odoo asap so that all in the community could help to get things patched and secure again. ThanksAndi