Hi James, I think I have enough courage now to speak up.
There is a huge barrier to entry for the Fineract project. I think your reference to "vendors" even makes it worse. I do not know that this is how Apache works, or maybe I am just used to CNCF with better organisation. For example, the Fineract release cycles are really messed up, especially for the last two releases. Almost everything is outdated, and there are people who thrive in this chaos, and dis-organization. We may call them vendors. Can you explain the closed loop? For instance, I may be a Sys Ops person who wants to streamline and make the project deployable on different environments without sweat. But guess what? We appreciate the closed loop, and prefer vendors to do it? And then talking about security vulnerability fixes in this way is even adding salt to the injury. Shame on you Apache! William On Mon, Mar 18, 2024 at 5:50 PM James Dailey <jdai...@apache.org> wrote: > Devs - > > Today we are announcing that release 1.9.0 fixed a few reported CVEs. > Those should be showing up here on the listserv shortly. Version 1.8.4 and > prior were not fixed and likely contain these vulnerabilities. We are > circumspect in how we describe them - you can dig further via the PRs and > the related tickets. > > The CVEs are also documented here: > > https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report > > With Yash Sancheti helping, we created a How to Secure Fineract page. > Additional best practices should be shared there or on list to ensure that > all instances of Fineract are kept secure. > > https://cwiki.apache.org/confluence/display/FINERACT/Securing+Fineract > <https://cwiki.apache.org/confluence/display/FINERACT/Securing+Fineract> > > I would encourage everyone to review their security practices. Fineract > should not simply be downloaded and run in production environments without > taking into account attack vectors and proper security. There are > vendors available to help with this. > > Report vulnerabilities and exploits to Security AT fineract.apache.org > > Thank you > James > PMC Fineract >
