Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Question process and security


RobertBlas

Recommended Posts

Hi folks, I am new to OS commerce, I have been establishing a cart for a client and I am enjoying wrestling with all the settings and exploring contributions etc.

 

However, the contrib process makes me a bit NERVOUS.

 

I can not tell from the contrib website whether there is any monitoring for security on the contributions.

 

It seems like edits are made by so many people (rather than passed along to an author who then incorporates changes).

 

I am used to perl's CPAN where I have never felt this level of concern. CPAN makes clear that there is a testing process and modules tend to have to have relatively stable authors.

 

Are my concerns justified? Is there a way to guage the trust worthiness of the contribution process and/or of different contributions? Can this be laid out in the introduction page to the contribs?

 

 

Thanks .... for any thoughts.

Link to comment
Share on other sites

Its there in red: Note: Contributions are used at own risk.

 

Any security problems with popular contributions generally come to light on our forums, and appropriate action is taken.

 

Please take note that anything you find here is released under the GPL license and does not come with warranty :D

 

Ultimately, *you* are responsible to your client - that is what you are paid for.

 

We have a large and dedicated community here, and security is a consideration for everybody.... its not an issue taken lightly, however, the resources required to monitor contributions to the extent you suggest do not at present exist....

 

Matti

Link to comment
Share on other sites

Its there in red:  Note: Contributions are used at own risk.

 

Any security problems with popular contributions generally come to light on our forums, and appropriate action is taken. Please take note that anything you find here is released under the GPL license and does not come with warranty  :D Ultimately, *you* are responsible to your client - that is what you are paid for. We have a large and dedicated community here, and security is a consideration for everybody.... its not an issue taken lightly, however, the resources required to monitor contributions to the extent you suggest do not at present exist....

Matti

 

Thanks for your reply.

 

I did see the red warning --- however, I felt I needed a bit more info, and you provided a response that makes me somewhat less nervous ... while I still realize that I need to use discretion.

 

I wonder if there are ways to increase the level of trust without needing lots of additional resources. For example ... expanding the team membership list to include experienced coders ... allowing only main authors to publish new versions, while allowing other the ability to post patches.

 

Just a brain storm.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...