RobertBlas Posted August 1, 2005 Share Posted August 1, 2005 Hi folks, I am new to OS commerce, I have been establishing a cart for a client and I am enjoying wrestling with all the settings and exploring contributions etc. However, the contrib process makes me a bit NERVOUS. I can not tell from the contrib website whether there is any monitoring for security on the contributions. It seems like edits are made by so many people (rather than passed along to an author who then incorporates changes). I am used to perl's CPAN where I have never felt this level of concern. CPAN makes clear that there is a testing process and modules tend to have to have relatively stable authors. Are my concerns justified? Is there a way to guage the trust worthiness of the contribution process and/or of different contributions? Can this be laid out in the introduction page to the contribs? Thanks .... for any thoughts. Link to comment Share on other sites More sharing options...
Guest Posted August 1, 2005 Share Posted August 1, 2005 Its there in red: Note: Contributions are used at own risk. Any security problems with popular contributions generally come to light on our forums, and appropriate action is taken. Please take note that anything you find here is released under the GPL license and does not come with warranty :D Ultimately, *you* are responsible to your client - that is what you are paid for. We have a large and dedicated community here, and security is a consideration for everybody.... its not an issue taken lightly, however, the resources required to monitor contributions to the extent you suggest do not at present exist.... Matti Link to comment Share on other sites More sharing options...
RobertBlas Posted August 1, 2005 Author Share Posted August 1, 2005 Its there in red: Note: Contributions are used at own risk. Any security problems with popular contributions generally come to light on our forums, and appropriate action is taken. Please take note that anything you find here is released under the GPL license and does not come with warranty :D Ultimately, *you* are responsible to your client - that is what you are paid for. We have a large and dedicated community here, and security is a consideration for everybody.... its not an issue taken lightly, however, the resources required to monitor contributions to the extent you suggest do not at present exist.... Matti <{POST_SNAPBACK}> Thanks for your reply. I did see the red warning --- however, I felt I needed a bit more info, and you provided a response that makes me somewhat less nervous ... while I still realize that I need to use discretion. I wonder if there are ways to increase the level of trust without needing lots of additional resources. For example ... expanding the team membership list to include experienced coders ... allowing only main authors to publish new versions, while allowing other the ability to post patches. Just a brain storm. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.