The OpenSUSE package contains a patch from #5375 (closed) which was extensively discussed on the issue. But the main problem is that this patch removes the brute force attack as explained in msg24660.
I have requested @coogor privately by email (about two weeks ago) and on the ML [1] to remove this patch from the package. I got no clear answer about any action will be taken.
So for me, Tryton should not advise about using this package as it provides a weakened version of the software to the users.
I agree with the proposed dates if no further action is done.
@cogoor: I understand that you want to not apply this patch. A lot of discussion has been done on the topic and several proposals to improve the security have been done. On the other hand, you are free to include the patch in the opensuse distribution but we have explained several times why we don't want to include this patch, so we can not do anything else than remove the advice to use a weakened version of tryton.
Am Dienstag, 6. Februar 2018, 10:17:51 CET schrieb Sergi Almacellas Abellana:
> Sergi Almacellas Abellana <sergi@koolpi.com> added the comment:
>
> I agree with the proposed dates if no further action is done.
>
> @cogoor: I understand that you want to not apply this patch. A lot of
> discussion has been done on the topic and several proposals to improve the
> security have been done. On the other hand, you are free to include the
> patch in the opensuse distribution but we have explained several times why
> we don't want to include this patch, so we can not do anything else than
> remove the advice to use a weakened version of tryton.
>
> ----------
> status: closed -> testing
>
> _______________________________________________
> Tryton issue tracker @tryton.org>
> <https://bugs.tryton.org/#7111>
> _______________________________________________
Sorry guys, I dont think that it is up to you to decide
--
Dr.-Ing. Axel K. Braun
M: +49.173.7003.154
T: @coogor
VoIP/Skype: axxite
PGP Fingerprint: 2E7F 3A19 A4A4 844A 3D09 7656 822D EB64 A3BA 290D
Public Key available at http://www.axxite.com/axel.braun@gmx.de.asc
Personal Freedom starts with free(dom) Software
ThinkPad T520 running openSUSE Tumbleweed
Kernel: 4.14.15-2-default
I do not understand what the foundation has to do with this.
We (the developers of Tryton) decide collectively what enter into Tryton or not. This decision of rejecting this patch has been already made without any objection.
The Foundation does not have the goal to decide about the content of project. Please check http://www.tryton.org/foundation/#what-does-the-tryton-foundation-do
I do not see "decide the content of the website".
But the rules of taking decision about the content are http://www.tryton.org/how-to-contribute.html#rules
After pondering a while if I should really participate on this issue I finally decided to give it a try.
I posted already an extensive analysis of the situation in #5375 (closed) in https://bugs.tryton.org/msg24691, where I summarized the different topics. My proposal to discuss the different identified topics separately, extensively, publicly and in an open way before coming to conclusions was not followed. May be this is the reason for escalations like this one.
Likewise this issue refers in the same way to quite a number of different topics, that can impossibly be solved in this very issue. The topics I am identifying are:
- Session management of trytond
- Login delay handling of trytond
- Usability aspects (as in punishment of wrong password entries and with regard to distributions in general)
- Hardening of trytond against brute force attacks
- Hardening trytond against (D)DoS attacks
- Responsibility about decision taking inside the project (namely website content in this case)
- Attitude and mindset face to face with downstreams and distributions (namely GNUHealth and OpenSUSE in this case)
I consider this issue to be an escalation of poor and missing communication. The gentle render may take it as a clear sign that the discussion now happens in a productive way at https://bugzilla.opensuse.org/show_bug.cgi?id=1078111. As a consequence and following the discussion in the OpernSUSE bug tracker I strongly recommend to mark this issue as invalid or at the utmost deferred (if it should be part of a thorough investigation of *all* the involved topics as depicted above).
* Cédric Krier [2018-02-06 14:33 +0100]:
>
>Cédric Krier <cedric.krier@b2ck.com> added the comment:
>
>For me, the "infrastructure" is not the content. But any way, when
>will the Foundation take a decision on this topic?