Contributors mailing list archives

Browse archives


Re: OCA and security notices

Sunflower IT, Tom Blauwendraat
- 31/12/2020 14:55:39
Odoo is not taking any responsibility for fixing security issues on older versions. Since OCA is understaffed, it's hard to keep all balls in the air: maintaining and bugfixing older modules, doing security patches in OCB, maintaining OpenUpgrade, etc.

I heard that Akretion is skipping the uneven versions of Odoo, but maybe I heard wrong.

Would it be a good idea to take the initiative to designate certain versions as "LTS" releases, making sure that these have security patches, bugfixes and an upgrade path? Similar to eg. Django or Linux Mint. It might serve to bring more focus into a scattered (but wonderful) open source effort.

Dec 23, 2020 11:47:43 Houssine BAKKALI <>:

Hi community,

Yesterday a security notices has been published.

Stefan has begun to bring one security fix to OCB with this PR

It raises what seems to be an important point about the handling of the security fixes for the unsupported Odoo version on OCB. Will this should be taken in charge by OCA, as OCB is under OCA umbrella or it'll remain on the goodwill of the community's members ? I don't have any problem with one of the possible responses.

My point is how do we takle the minimum about this topic. I mean how do we organize the contribution members on this topics ?

My first idea will be to open an issue on OCB for each security notice and organize the work as it done for modules migration. What do you think ? Creating a PSC team security could be another idea.

Finding the security issues seems to be easy but at this point we don't have a tracking on the ones that are brought back on the unsupported version on OCB.

Here at Coop IT Easy we'll probably focus on the versions affecting our customers it means 9.0 as 11.0 and later are still supported.




Post to: