On Sat, Nov 9, 2013 at 1:39 PM, Nhomar Hernández <[email protected]> wrote:
> > 2013/11/9 Raphael Valyi <[email protected]> > >> I'm curious to see all XSS and DOS exploits that will be found against >> OpenERP powered websites in the wild. Come one, you have never been a web >> publishing technology, why not trust the work of those who have been >> instead? OpenERP SA is smarter than everybody else, is that the theory >> again? > > > Men. > > I didn't see any bug report by you about this > Let's say there are a few attempts that make you dismiss and translate a whole "culture" about security: https://bugs.launchpad.net/openobject-addons/+bug/738721 > . > I tried to explode by myself several well known issues and i didn't find > any problem but I am almost sure that maybe I am forgeting something. > > BUt even, if I can not trust a !website! to a framework, "How in the name > of God i can trust all an ERP", > You trust it? Joke aside, it's not the same Nhomar. Your ERP isn't really ostensibly exposed on the web for anyone to hack. And accepting anyone to log in the system and enter somewhat the ORM and relying on it, is a lot more involved than just having 20 employees doing their daily tasks in OpenERP. > I think this statement is very dangerous, and if you don't put here proofs > IMHO It is a bad intentional flame dude. > You don't get my point: It's exactly because nobody has never really used OpenERP as a public website stack and because of the culture that my previous link shows that you cannot TAKE SECURITY FOR GRANTED. Well you can, but let's say I prefer to stick to battle tested things directly. > > And about DOS, it is not "Framework Problem" it is a "Server Problem" at > least I am forgetting something. > It's not as simple: as soon as you have logged in users interacting with these apparently inoffensive templates, with even sandbox safe evals things can easily be exploited for DOS attacks. Alexandre Fayolle has shown us examples of this already: safe_eval(82173821737213782173821739921**881230980921832173821732132323 798321) You can DOS even by tricking public search requests. There are millions of ways to DOS a server, it's not just about putting NGinx before. > We managing only server configuration with load balancing change from 60k > to 1.060 Request per minute in our servers, caching, https it means > following "Best practices", even rails and plone if you don't configure > correctly the server, by default you can left the server unsusable "Having > the feeling of DoS" we have 3 goverment cases here in VE with plone where > after 6 months of problems with a Plone site an friend "plone expert, > mixing the well recommended practices and testing corectly solve the > problem in 3 hours[1]. > It's intrinsic to OpenERP ORM. OpenERP ORM is transactional AND with **SNAPSHOT ISOLATION LEVEL**! This is perfect for accounting or MWS (no I don't want to switch accounting to MongoDB :-) But not that doesn't scale at all, unless you also disrupt the concept of "scalability". If that scaled, believe me Google would be using PostgreSQL for Gmail. Of course, with caching you can even make Magento scale. But not everything can be solved with caching. Now, like a mail system, A CMS has none of the transactional requirements of an ERP. So I say trying to build the new CMS upon a transactional snapshot isolation ORM isn't very smart at best. Instead, I'm sorry but I think a CMS like LocomotivceCMS gets it all perfectly by plugin custom CMS data structure upon MongoDB scalable DB (yes PG 9.4 stores json fast too now, it doesn't makes it as "scalable"). When you see that it took me around 6 days only to get any OpenERP objects inside LocomotiveCMS like if they were CMS objects (cacheable if I need too) via erpify https://github.com/akretion/erpify, I say may be it wasn't necessary to smoke over 200 man days to try to re-invent yet a new CMS that is kind of doomed by design anyway. > [...] > > Be carefull for your statements dude, because ignorant people can decide > based on your credibility and a lot of people can loss business > oportunities for your statements. > In any case people, my goal is not to start a war about what web technology you should pick up for your website, I'm just presenting an alternative solution that is already available without you to have to migrate to some new version. Nhomar, at Akretion like many we refuse may be 4 projects per day and without making nearly any marketing, I'm pretty sure you are in the same situation (and no we cannot just rise the prices to match the demand exactly because most of people have already the illusion the thing is easier than it is and hardly pay more or compromise the success of the project when doing so and don't provision enough days later). So maturing OpenERP doesn't need to lie people or hide them some information so that more leads comes into the system, I really believe it has a lot more to do with producing more quality in the core and having that kind of debates, so that in turn people like us can hire guys able to do the work some believe is possible so that indeed, the eco-system grow for real. I also don't think I'm making FUD, but telling people we are building a website whose logic is back by OpenERP which has 1 millions of partners inside and is target millions of connected users. Now, yes I defend the tech choices underlying it, that's all. Peace. Thanks.
_______________________________________________ Mailing list: https://launchpad.net/~openerp-community Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
