Closed bpabiszczak closed 7 years ago
bpabiszczak
commented
7 years ago Maybe I’ll approach it from a different perspective – what would YetiForce have to do/change/add/rebuild for coreBOS to consider cooperation? Is the problem the ownership of the product, or the product itself?
We would like to hear from our community what you guys think about this idea, what it would look like in your opinion, and if you think there is any point in trying to establish this cooperation.
PercyP
commented
7 years ago @bpabiszczak You both have excellent products, some of us prefer yeti, others prefer coreboss. I have seen and used some of @joebordes products over the years as a vtiger user, and would love to see some of them integrated here in yeti. There must be a way of you both collaborating that would be mutually beneficial. Maybe if they develop components for integrating with yeti they could sell them via your marketplace with a fee going to yourselves as they do with vtiger? That way yeti users get the additional features and functions they need for their own yeticrm systems, and you both make something on the sales of those add on components. In terms of some of the problems @bpabiszczak highlighted with coreboss, I suppose in every system there are flaws (including yeti) as there will never be a point where a system is 100% perfect, as even when you get close, new technology etc. comes in and developers have to then change their near-perfect systems to incorporate these - a never ending battle. So, in my opinion it would be brilliant to see some collaboration that benefits you both!
kabelo38
commented
7 years ago Did you get some answers regarding this issue
https://github.com/YetiForceCompany/YetiForceCRM/issues/4774
**This is concerning security cannot be taken for granted "When will you fix dozens of SQL injection errors, XSS, and when will you start following the basic safety rules recommended by OWASP for example? Has coreBOS ever undergone any security audits"
joebordes
commented
7 years ago I'm sorry but, collaboration is never going to happen. We have two very different ways of seeing the world.
http://blog.corebos.org:8080/en/blog/corebosyeti
@kabelo38 security is not taken for granted but very seriously, it is the leader of Yetiforce who is misleading you in order to make his product look better. Please read the post if you are interested in understanding the Sensiolabs report numbers.
PercyP
commented
7 years ago @joebordes
it is sad. But I guess we don't realise/understand what is going on between your two companies? I moved to Yetiforce because I love the aggressiveness of their approach in terms of development. They are reactive and very on the ball. Is there something I am missing here?
kapsule
commented
7 years ago @PercyP. As @joe says very well in his post, I think we are losing focus. I have been a corebos user since its inception. At the time I had the possibility to work any crm of those that currently exist. But like other clients and users we saw in this project something special. Thing the rest did not have. Since then, the project has been growing and also its community. From my point of view that means something.
bpabiszczak
commented
7 years ago @joebordes thank you for all the attention you gave me on your blog, I feel appreciated like never before. It’s clear to everyone who read it that your heart must be pounding whenever you read my posts. I think it’s love, don’t be afraid to admit that.
I read your posts related to https://insight.sensiolabs.com/analyses and I see you don’t understand the point of this tool. It’s not used to catch security errors. It shows that low quality code and bad practices significantly lower the performance, safety and overall quality. If a developer uploads changes to the repository then tools such as SensioLabs, TravisCI, and ScrutinizerCI look for his errors and help him fix them.
Second of all, SensioLabs verifies the code in 111 different ways, including PHP Standards Recommendations compatibility. Ignoring these standards by Vtiger, and then inheriting that by coreBOS makes your code quality really low. The way you program defines who you are. It’s not a problem that you have a ton of errors, the problem is that you don’t feel like you have to change anything. The truth is that the majority of your system is PHP 4 times!!! It’s time to wake up. The entire open source community suffers because of software producers like coreBOS or Vtiger.
When I wrote about XSS errors and SQL Injection I didn’t mean SensioLabs, because this is not what the tool is for [which I explained earlier]. Using only tools like RIPS, Acunetix, or Burp is not very effective, because these tools don’t understand how the application works. Only a good security expert can actually use them, for an average developer this tool is useless, because it needs to be heavily configured to work with the app.
I will be honest with you, coreBOS has never undergone any security audits and even if there was one, it probably took 1-2 days and someone analyzed the code with a tool like RIPS. There are currently over 20 critical errors in coreBOS [many of them exist in tens/hundreds of locations]. Additionally, the current version of coreBOS doesn't comply with any security standards that are the basis of every audit.
Over the next weeks, we will publish critical bugs of all Vtiger-based systems [Vtiger, coreBOS, joForce], so that every producer will understand that ignoring security affects not only them, but everyone around them, including their customers. Found errors show the ignorance of producers, lack of security, and lack of implemented security policies for generated errors. Namely:
I don’t know if we publish every error [writing a post and translating it takes too much time] but the errors that will be published [at least several dozen], will first be sent to the producer and then after 7 days we will publish detailed information about the error on our blog and social media. I hope that it will change the approach of coreBOS and Vtiger and they will begin to respect their customers for whom you both provide the solution of a very poor quality. What is more, maybe you will start implementing basic security policies.
If coreBOS and Vtiger doesn't fix bugs regularly, we will publish bugs without waiting for them to be fixed because there is no point in waiting if the producer ignores security bugs anyway. Please remember though that we aren’t a company that performs security tests and we assume that companies that do specialize in these tests would find 2 or 3 times more bugs than we do.
PS.: Don’t forget to include what I’ve said here in your blog post and all published critical errors from coreBOS in PDF.
joebordes
commented
7 years ago I appreciate your effort in making our projects better (although I don't quite get why you bother). I will be waiting for your comments Thank you.
playmono
commented
7 years ago @bpabiszczak Actually It would be fine if you find the errors and try to fix them with some PR's to their respective projects.
Isn't it the core of open source?
bpabiszczak
commented
7 years ago The idea od open source isn't getting someone else to do something for us, because we're too lazy. Every single hour of developer's work costs, and we got something to do we will do it in YetiForce. Check this article https://yetiforce.com/en/news/blog/item/48-php-code-injection-using-an-image-in-popular-open-source-crm-systems-0-day where we describe an error that exists in 6 systems we tested, and in reality I assume it exists in 20 systems.
Do you think that the best solution for the YetiForce project and YetiForce community would be to assign one of our developers to spend 15 days to fix one issue in 10 systems? Or would it be better if he spent that time adding new mechanisms and helping YetiForce community?
Secondly, each system works in a different way so nobody is going to fix the problems better than the system's producers [we don't program in SuiteCRM and we're not planning to do that]. Another problem is that often other systems are outdated [they don't use composer, the code doesn't comply with standards, they program the way it was done a decade ago], which would force the programmer to switch to "bad programming" which we obviously don't want.
But the main problem is that there are 5 systems [YetiForce, VtigerCRM, coreBOS, VTC CRM, joForce] that don't cooperate with one another at all, and nobody wants that cooperation. Why should the file upload feature work in a different way in each of these systems? Another thing – some of these systems can't keep up with the technological progress and don't follow standards, which makes moving changes among systems too complicated.
Try to solve this problem, cooperation, then other problems will solve themselves.
PercyP
commented
7 years ago Hi @bpabiszczak and @joebordes ,
I am feeling somewhat guilty for naively asking about the Its4You PDF integration, and so feel responsible for these emails flying between you both.
My apologies, I really didn't mean to open up such a can of worms (if that is the correct analogy).
I would love to see more collaboration, but where that can happen, I am not sure as you are possibly competing in the same space? I do believe though, there is space for everyone to be successful here, some people prefer Vtiger, others Corebos, and others Yetiforce. Each will always have loyal customers. I just happen to prefer Yetiforce as it meets my needs the closest for the project I am working on, and I love the flexibility. Crucial for me too is security, but I wouldn't know the difference as to whether a system was or was not, so place my trust in the provider, and I have come to trust the Yetiforce team. I used Vtiger for many years, but as they got more successful, I felt we (the community were being pushed out and we were getting watered down system in the end with limited scope to customise it. Yetiforce was a breadth of fresh air for me, I can customise it to my heart's content!
"Do you think that the best solution for the YetiForce project and YetiForce community would be to assign one of our developers to spend 15 days to fix one issue in 10 systems? Or would it be better if he spent that time adding new mechanisms and helping YetiForce community?"
I agree that your developers should focus on the broader issues, it makes absolute sense. We all 'fiddle' with our versions (not always knowing what conflicts the 'fiddling' might cause) so you shouldn't be expected to fix those. However, people should also be prepared to pay if they get into trouble, that requires more than a simple reply to prompt them.
I am now a firm customer of Yetiforce, love the rapid development process, love the innovations, get excited with each new release, and also appreciate the skills and knowledge of the team.
bpabiszczak
commented
7 years ago @PercyP I think you are taking this too personally. I’m messing with @joebordes a bit because I’m always hoping for the best. Unfortunately he took things too personally, and even wrote a blog post for me.
And it could look completely different:
Unfortunately we all know what the reality is going to be, so I’m closing this issue, maybe someday @joebordes will appreciate the solution based on the same engine.
@PercyP https://github.com/YetiForceCompany/YetiForceCRM/issues/4774
It probably impossible, because we both think our own product is better, and I don’t think I can be convinced that coreBOS is better.. because it’s not :D. However, there are many great things in coreBOS that would be worth implementing. We can even write a migrating script from coreBOS to YetiForce but it won’t help with the cooperation.
Joe, go ahead and let me know what you think :D