You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Adam Heath <do...@brainfood.com> on 2012/05/10 23:43:45 UTC

backports(to 12.04) of my recent commits

I've added 2 major(ish) new features recently.

* salt-based password hashing(with base64 encoding)
* key-encrypting-key(kek) support.

The salt-based psasword feature was written when JIRA was hacked
several years ago; JIRA is based on an old version of OfBiz, so this
change could be considered a bug fix.

kek support is a new feature, however, so generally that wouldn't be
backported.  However, I feel strong enough about the
coolness/usefulness factor for this feature that I feel it really
*does* need to be backported.

So, I guess I'm asking for verification: Which of these features
should really be backported, and to which target branches?

ps: kek support *requires* the new hashing changes.

pps: I've already backported both of these to our internal 902021
branch(which is pre-10.04); so it would be possible for me to even go
back that far.

Re: backports(to 12.04) of my recent commits

Posted by Jacques Le Roux <ja...@les7arts.com>.

From: "Adam Heath" <do...@brainfood.com>
> I've added 2 major(ish) new features recently.
>
> * salt-based password hashing(with base64 encoding)
> * key-encrypting-key(kek) support.
>
> The salt-based psasword feature was written when JIRA was hacked
> several years ago; JIRA is based on an old version of OfBiz, so this
> change could be considered a bug fix.

I guess you will document the backports in and then close
https://issues.apache.org/jira/browse/OFBIZ-1151
https://issues.apache.org/jira/browse/OFBIZ-3006

For Jira: I guess Atlassian has already taken all the needed precautions

> kek support is a new feature, however, so generally that wouldn't be
> backported.  However, I feel strong enough about the
> coolness/usefulness factor for this feature that I feel it really
> *does* need to be backported.

I'm for it, the more secure OFBiz is the better! Now I think it's not only to both of us to decide about such a thing, opinions?
For user it would be great to also create a Jira, instantly closed (sub-task of https://issues.apache.org/jira/browse/OFBIZ-1525)

> So, I guess I'm asking for verification: Which of these features
> should really be backported, and to which target branches?

We decided to no longer backport to releases under 10 (too much conflicts) so would be 10, 11 & 12 releases branches. You could do 
an exception for R09.04 if you feel it's OK.

My 2cts

Jacques

> ps: kek support *requires* the new hashing changes.
>
> pps: I've already backported both of these to our internal 902021
> branch(which is pre-10.04); so it would be possible for me to even go
> back that far.