Achievo 1.5.0 #17
Comments
|
Sounds good. I'll do some testing. Should I wait for you to create a release branch, or should I test the develop branch? It's been a while, can I use latest php and MySQL? Dale
|
|
It doesn't make a big difference, you can test the develop branch. As much as I've heard, Achievo doesn't run with PHP 5.4, but latest MySQL should work fine. |
|
@dalers No progress? No comments to this question either it seems http://bugzilla.achievo.org/show_bug.cgi?id=1717 |
|
No posts doesn't necessarily mean no progress ;-) Are you currently using or considering using Achievo/ATK? If so, you will likely learn more by asking about behavior under different circumstances, and then helping solve any issues. If you are only testing your web vulnerability software, then have fun and please keep us updated. Fwiw, I haven't been active in the Achievo/ATK project for a year or two now, but still lurk in the hallways. |
|
I was not asking about "behavior". I was and still am interested about status of several open security vulnerabilities in your software. Mainly these three: http://osvdb.org/87012 I understand that you might be a busy person or "insert other good reasons here", but issues haven't been fixed in over two years. I was asking about this, because I am developing and actively using security scanner to notify end-users if they are not using secure version of different web software and I was planning to implement detection for Achievo too. By not fixing vulnerabilities promptly you (the dev team) are putting users of Achievo to unnecessary risk. I am not commenting here to criticise your work, but to improve overall quality of your software and currently my only solution is to suggest any user to change product until there is a fix available. |
|
Thank you for clarifying your motivation and intent. However, I must defer to those actively managing project direction to comment further. |
|
Ping @sndpl |
|
You really should tale a look at the docs ;-). Sandi hasn't really been involved since iBuildings handed over stewardship of the project to the community to manage (and they had essentially stopped development at least a year earlier). If you don't mind, how does your business model work? It would be wonderful if you kept the world safe from bad apps just because you were independently wealthy and just wanted to. Is this "marketing" to some degree for you? Do you generate client work as a result of part-time work on the web scanner?I'm not critiquing, just curious. I was really just a technical business user, attempting to model ("implement") business processes in Achievo, mainly related to high-tech engineering project management. I left when I realized that ATK/Achievo was too low-level, but also too constrictive at the high-level in the Achievo code-base. It is what it is.A developer needs to be honest and understand the weaknesses of his tools, but also understand the constraints (costs of fixing or switching framework), compared to benefits and risks. It's just one big compromise in the end, no one's going to build the next Facebook on ATK/Achievo. From: Henri SaloSent: Thursday, November 27, 2014 2:40 PMTo: atkphpframework/achievoReply To: atkphpframework/achievoCc: Dale ScottSubject: Re: [achievo] Achievo 1.5.0 (#17)Ping @sndpl —Reply to this email directly or view it on GitHub. |
|
Hi, |
|
@dalers Open-source project out of my spare time. So after this conversation the conclusion is: Achievo is not fixing vulnerabilities if issue requires user account even the vulnerability is critical. My suggestion for the project is to add note to main web site that at least these https://www.netsparker.com/xss-lfi-and-sql-injection-vulnerabilities-in-achievo/ vulnerabilities has not been fixed and there is no plan to do so. This should be "responsible course of action" as these are publicly announced security vulnerabilities. My suggestion for any current Achievo user is to change software as soon as possible. I hope that there won't be any new Achievo installations in the future as the project is (somewhat) abandoned. |
There are many changes in
developwhich should be delivered to Achievo users, this especially includes the highly security sensitive changes introduced with #11. I suggest to release it as Achievo 1.5.0.@atkphpframework/team-atk-admins
The text was updated successfully, but these errors were encountered: