openerp-community team mailing list archive

[Raphael Valyi <rvalyi@xxxxxxxxx>]

On Sat, Nov 9, 2013 at 1:39 PM, Nhomar Hernández <nhomar@xxxxxxxxx> wrote:

>
> 2013/11/9 Raphael Valyi <rvalyi@xxxxxxxxx>
>
>> I'm curious to see all XSS and DOS exploits that will be found against
>> OpenERP powered websites in the wild. Come one, you have never been a web
>> publishing technology, why not trust the work of those who have been
>> instead? OpenERP SA is smarter than everybody else, is that the theory
>> again?
>
>
> Men.
>
> I didn't see any bug report by you about this
>

Let's say there are a few attempts that make you dismiss and translate a
whole "culture" about security:
https://bugs.launchpad.net/openobject-addons/+bug/738721


> .
> I tried to explode by myself several well known issues and i didn't find
> any problem but I am almost sure that maybe I am forgeting something.
>
> BUt even, if I can not trust a !website! to a framework, "How in the name
> of God i can trust all an ERP",
>

You trust it?
Joke aside, it's not the same Nhomar. Your ERP isn't really ostensibly
exposed on the web for anyone to hack.
And accepting anyone to log in the system and enter somewhat the ORM and
relying on it, is a lot more involved than just having 20 employees doing
their daily tasks in OpenERP.


> I think this statement is very dangerous, and if you don't put here proofs
> IMHO It is a bad intentional flame dude.
>

You don't get my point:

It's exactly because nobody has never really used OpenERP as a public
website stack and because of the culture that my previous link shows that
you cannot TAKE SECURITY FOR GRANTED.

Well you can, but let's say I prefer to stick to battle tested things
directly.


>
> And about DOS, it is not "Framework Problem" it is a "Server Problem" at
> least I am forgetting something.
>

It's not as simple: as soon as you have logged in users interacting with
these apparently inoffensive templates, with even sandbox safe evals things
can easily be exploited for DOS attacks. Alexandre Fayolle has shown us
examples of this already:
safe_eval(82173821737213782173821739921**881230980921832173821732132323
798321)
You can DOS even by tricking public search requests. There are millions of
ways to DOS a server, it's not just about putting NGinx before.


>  We managing only server configuration with load balancing change from 60k
> to 1.060 Request per minute in our servers, caching, https it means
> following "Best practices", even rails and plone if you don't configure
> correctly the server, by default you can left the server unsusable "Having
> the feeling of DoS" we have 3 goverment cases here in VE with plone where
> after 6 months of problems with a Plone site an friend "plone expert,
> mixing the well recommended practices and testing corectly solve the
> problem in 3 hours[1].
>

It's intrinsic to OpenERP ORM. OpenERP ORM is transactional AND with
**SNAPSHOT ISOLATION LEVEL**!
This is perfect for accounting or MWS (no I don't want to switch accounting
to MongoDB :-)
But not that doesn't scale at all, unless you also disrupt the concept of
"scalability".
If that scaled, believe me Google would be using PostgreSQL for Gmail.

Of course, with caching you can even make Magento scale.
But not everything can be solved with caching.

Now, like a mail system, A CMS has none of the transactional requirements
of an ERP. So I say trying to build the new CMS upon a transactional
snapshot isolation ORM isn't very smart at best.

Instead, I'm sorry but I think a CMS like LocomotivceCMS gets it all
perfectly by plugin custom CMS data structure upon MongoDB scalable DB (yes
PG 9.4 stores json fast too now, it doesn't makes it as "scalable").

When you see that it took me around 6 days only to get any OpenERP objects
inside LocomotiveCMS like if they were CMS objects (cacheable if I need
too) via erpify https://github.com/akretion/erpify, I say may be it wasn't
necessary to smoke over 200 man days to try to re-invent yet a new CMS that
is kind of doomed by design anyway.


> [...]
>
> Be carefull for your statements dude, because ignorant people can decide
> based on your credibility and a lot of people can loss business
> oportunities for your statements.
>

In any case people, my goal is not to start a war about what web technology
you should pick up for your website, I'm just presenting an alternative
solution that is already available without you to have to migrate to some
new version.

Nhomar, at Akretion like many we refuse may be 4 projects per day and
without making nearly any marketing, I'm pretty sure you are in the same
situation (and no we cannot just rise the prices to match the demand
exactly because most of people have already the illusion the thing is
easier than it is and hardly pay more or compromise the success of the
project when doing so and don't provision enough days later).

So maturing OpenERP doesn't need to lie people or hide them some
information so that more leads comes into the system, I really believe it
has a lot more to do with producing more quality in the core and having
that kind of debates, so that in turn people like us can hire guys able to
do the work some believe is possible so that indeed, the eco-system grow
for real.

I also don't think I'm making FUD, but telling people we are building a
website whose logic is back by OpenERP which has 1 millions of partners
inside and is target millions of connected users.

Now, yes I defend the tech choices underlying it, that's all.


Peace.


Thanks.