Open millenium-codebug opened 3 years ago
nileio
commented
3 years ago @millenium-codebug can't agree more - the dependancies are all over the place. I am actively working on a fork https://github.com/mavenea/mavencrm to fix many issues and provide a single click install - check out the backlog and roadmap and what is being worked on. I will include your suggestions
davidegiarolo
commented
3 years ago @millenium-codebug thank you for the advice, we'll pin the version with the right ones. about the zend libraries using the new ones (laminas for example) is a long time process so right now we prefer to fix bugs and maintain those old libraries by ourselfes, we use them mostly for the messages module. we take a look also to violinist.io in order to see if it can helps us
@nileio nice to see that you like our software! about the forks, personally i have an opinion that i want to share with you. a fork is a nice idea when:
millenium-codebug
commented
3 years ago @millenium-codebug thank you for the advice, we'll pin the version with the right ones. about the zend libraries using the new ones (laminas for example) is a long time process so right now we prefer to fix bugs and maintain those old libraries by ourselfes, we use them mostly for the messages module. we take a look also to violinist.io in order to see if it can helps us
Hi @davidegiarolo, I think that your are lying about the fixes of "those old libraries" in composer.json you should load a VTECRM/zend-http package instead of the official and deprecated one or do something like that
"autoload": {
"files": ["zend_http_override.php"]
},I would like to show this and this to you. I think that if i check, that CVE would affect this repository (and the business version too) and this mean that the software is insecure.
davidegiarolo
commented
3 years ago hi, no one is lying here. simply as human I also can miss some details and i reported to you the feedback of our developers about that thread. consider that this repo is here to improve the software and the software is open so there is no way to lie... I telled you that we fix the old libraries but of course we fix the bugs we found, and the laminas example in place of the zend-mail was one of that. we'll appreciate if you can help us and check the CVE so we can mitigate the issue, or better if you can pull a fix you're welcome. as far as we know the software is secure and consider that we have third party that made penetration and owasp testing.
nileio
commented
3 years ago @millenium-codebug I appreciate that we having a discussion but I don't think it is at all appropriate to refer to a point or anything as being a "lie" !!
@davidegiarolo thanks for explanation. No dev activity in the repo and the forum response about the dev community was little unclear so it appeared more like a closed source product than anything else, and therefore the decision to make a fork. There is also a number of other design objectives that I listed in the backlog and vision in my repo. In all cases, most probably the module fixes + the new theme "blueberry" can be integrated with the core VTE product. I intend to push all the changes in the coming weeks..
composer.jsonlists many wildcard dependencies:Versions should always be pinned to a major version so that they don't break when the interface changes with major updates.
Also the following is abandoned:
videlalvaro/php-amqplibzendframework/zend-httpzendframework/zend-mailI would also recommend to insert ALL dependencies (adodb for example) in ONE
composer.jsonand please don't commit the vendorMaybe you should evaluate violinist.io to automate the dependency update process