Contributors mailing list archives

Browse archives


Re: OCA and security notices

by "Raphaël Valyi" <> - 31/12/2020 16:03:01
a few considerations,

About a 2 years based LTS:
yes at Akretion we mostly skipped the uneven Odoo versions since version 8 (before that evolution was so much needed that we couldn't). But that may change. It happens Odoo SA screwed v9 release badly and so far they screwed no even version. But should they screw v16, we might totally change our "LTS" policy and we have no control over what version Odoo will screw or not. That being said, there is also an OCA effort resonance happening on Odoo uneven releases. Look how many modules every Odoo version has 1 year or 2 years after release and it will be clear that this is not just an Akretion thing. In the future, eventually migrations become simpler and we follow every version, I can not tell you except that this would be the condition.

About migration cycles:
Even if you go for an uneven LTS strategy, not every company may migrate every 2 years (or less), that is just not true. Large projects may need to invest for 1 full year for the implementation, not sure it's appealing to invest 20% of the implementation cost the next year to migrate immediately. The newer the version you migrate too, the more expensive it will be as you will eventually need to migrate the OCA modules yourself or even dig into the early OpenUpgrade bugs/limitations. A company can have a bad year, the integrator may not be available. The market is growing a lot, lots of new integrators have just not the experience to be able to migrate 1 or 2 years after they started their 1st projects where they likely did a lot of shit...
As soon as you admit this, having secure versions for only 3 years before being forced to migrate is not appealing at all. I think 4 years (2 LTS cycles) would be a wiser stance.

A business opportunity for the OCA?
Since Odoo SA says they take care of security for only 3 years, eventually this gives room for the OCA to brag "the OCA ensures the security patches from recent Odoo releases are backported for 4 or 5 years". We may not promise it's all secure, but IMHO promising this backport is cheap and may drive more audiences to the OCA.

About Odoo SA trying to please the VCs. 
It has been very true in the past and eventually shaped the released cycle. But we know it's no longer true: despite nearly losing control to the VCs back in 2015 (as Fabien admits himself that had only 2 month of cash if they didn't made the last VC round where they had to change the license and start doing proprietary code), they now managed to get totally independent from them again. Eventually we were pissed of by the risk taken while we didn't choose open source for that kind of risk. But it's over now. That being said, Odoo SA is now a company with many salesmen and managers, sort of unproductive people and consequently they need to sell new projects like mad to feed everybody. So eventually they are structurally doomed to keep riding the rocket.

About security and Python versions:
again IMHO the OCA is not wise when it follows Odoo SA Python version policy, like have the v14 CI run Python 3.6 (end of life next year). Because what we see with the Odoo CVE also just happens in the Python packages we depend on. In new fields like web, API connectors, ecommerce, SOAP... Python packages come and go, replaced by newer technologies. Newer packages use recent Python versions and loose compatibility with older Pythons. Hence if you use an old Python, chances are your Python packages have much more CVE that will not get fixed, not even for a newer Python (a new lib might be used instead). IMHO, Odoo SA supports older Pythons by accident because they come from legacy, But just because they support it by accident is not a good reason for the OCA to align to this policy. We don't run the CI on windows just because Odoo SA also make Odoo instalable on Windows, right? So why cannot we say: "you want Odoo 14? The OCA CI ensures it works on Python 3.7+, so evolve your distro before starting your real life project, doing that may give you 1 extra year of CVE free packages in the future."

About web enabled ERP and security:
We have to face it: how many not up to date Odoo ecommerces and portals are there around in the wild? Now think about how easy it is to take the CVE list of Odoo and of its old Python dependencies and scan the web to attack these older Odoos? Think how hard it is to migrate and how naive were some companies to do an Odoo ecommerce before understanding this. Think if company X has an unfair competitor Y ready to pay a hacker to use these CVE to attack the old Odoo, think how easy it is to take over the company X data or even spoil its ERP... At Akretion this is the kind of reasoning we had before building Shopinvader for instance.


On Thu, Dec 31, 2020 at 11:12 AM Pedro M. Baeza (Tecnativa) <> wrote:
For me the path is clear: upgrade to the latest possible Odoo version, and that's why OpenUpgrade is done and funded by OCA itself, and the most famous OCA modules are migrated to all versions by regular contributors.


Post to:

Raphaël Valyi
Founder and consultant