[Vtigercrm-developers] Vtiger 7.1 Release Schedule

Błażej Pabiszczak b.pabiszczak at yetiforce.com
Fri Dec 29 19:48:08 GMT 2017


Vtiger Team, 

I'm following your project all the time, but as you can see, I have not
taken part in threats for many months and it's probably one of my last
posts here. On the one hand, I'm very happy that Vtiger is developing so
slowly, on the other hand, I know that it will also more or less affect
our project. 

>From the technical perspective, there is less and less Vtiger in our
fork and probably over the years, everything will be gradually
disappearing from YetiForce, so there will be nothing to discuss.
Certainly, what you have done from the visual perspective gives an
awesome effect, so congratulations! However, everything else [especially
the majority of the PHP code] is low quality and you have to do
something about it. As far as I understand, most of the standards
related to the code quality and its performance are of no importance to
you [because you develop a product only for small companies] but you
really have to do something about security! It will become even more
important because from May 2018 all Europe will have a new GDPR
regulation, where security is a crucial element, so low security level
will expose companies that use this solution, e.g: large fines will be
charged. 

The problem with security in VtigerCRM [but also in many of its forks,
e.g. VTE CRM, coreBOS, JoForce] is that this system is not well secured
in any way, I mean the following actions: 

 	* loading files
 	* loading pictures
 	* verification of privileges for actions
 	* verification of privileges for records
 	* data injection [XSS, SQL Injection]
 	* a possibility to increase privileges
 	* CRM's server suspension [does not require login]
 	* etc

If it were isolated cases, we wouldn't have a problem because every
application contains some security vulnerabilities, however, what is in
the engine of each of the above-mentioned systems tells us that none of
these companies has ever undergone any professional security audit and
developers' proficiency inside these companies is insufficient. I can
understand it in the case of coreBOS and JoForce, because they are
companies with 1-2 developers for the whole project, but as far as I
remember, you have dozens of them and several thousand customers for
On-Demand versions.We have been improving security in YetiForce for two
years and we can see how much has already been done, but also how much
still needs to be done. After each detected vulnerability we verified
whether it exists in other systems and it turns out that 95% of found
and fixed errors are still present in other forks. 

Starting from mid-January, we will be publishing a case study about
found errors [currently we have over 100 for Vtiger, but in coreBOS and
JoForce there are many more]. In addition, all modules we tested for
Vtiger have numerous security vulnerabilities and we will also describe
this problem. Some errors that we found require rewriting of entire
mechanisms, which sometimes takes a few days, so it would be worth for
you to spend more time and effort on security in 2018 - it will pay off
in the following years. With your current level of commitment in the
project, it may turn out that some errors you will be fixing for months,
which is why I hope that this time you will approach the problem
professionally and designate 1-2 best PHP developers who will be fixing
security bugs on a regular basis. 

However, the most important thing for you should be to find a company
that really specializes in security audits and perform an audit of the
entire application! Without it, you will only create semblances of
security, as at present. Such audits should be carried out on a regular
basis, preferably before the release of each new version. 

PS. Happy New Year!

---
Z poważaniem / Regards

BŁAŻEJ PABISZCZAK 
M: +48.884999123
E: b.pabiszczak at yetiforce.com 

W dniu 2017-12-28 20:40, Satish Dvnk napisał(a):

> Yes, Simone. We have pushed all the changes of mobile app /web mobile into branch 7.1 and please confirm us as we fixed most(major) issues in app/web mobile. 
> 
> On 28-Dec-2017 9:28 PM, "Simone Travaglini" <simonetravaglini at gmail.com> wrote:
> 
> Hi satish, 
> thanks for update. It's a good news! 
> What about mobile module? we see you are working on it, but still bugs... Do you think you will release a stable version with VtT7.1? 
> 
> 2017-12-28 16:31 GMT+01:00 Satish Dvnk <satish.dvnk at vtiger.com>:
> 
> Hi All, 
> 
> We are happy to announce that we are going to release the Vtiger community edition version 7.1 in January. We would like to appreciate your valuable contributions and validation towards this release. 
> 
> Following are the expected release schedule for the V7.1. 
> 
> * RCA - 1st week of Jan
> * GA - 4th week of Jan
> 
> FYI V7.1 FEATURES AND FIXES :
> 
> FEATURES : 
> 
> * FOLLOW A RECORD (Click on STAR icon to follow a record. By following any record, you get updates on it as other users of your organization modify the record. these updates are notified to you via emails. Deselect the STAR icon to unfollow the record.)
> * DUPLICATE RECORD PREVENTION (Prevent duplicate records in Vtiger from all sources by enabling the duplicate check)
> * WEBFORM ATTACHMENTS (Allow user to attach files to web forms)
> * IMPORT USERS USING .CSV FILE (Supports importing User data using .csv file)
> * Supporting MYSQL V5.7
> * CUSTOMIZE MODULES icons
> 
> OTHER FIXES : 
> 
> * Product Issues [1]
> * Usability Issues
> * etc.
> 
> regards,
> Satish.Dvnk 
> _______________________________________________
> http://www.vtiger.com/ 
> 
> -- 
> Simone Travaglini
> 328 5499846
> Linkedin: Simone Travaglini 
> 
> Rispetta l'ambiente: non stampare questa mail se non ti è veramente necessario! 
> _______________________________________________
> http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/ 

Links:
------
[1] http://code.vtiger.com/vtiger/vtigercrm/compare/master...7.1.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20171229/5fb06311/attachment.html>


More information about the vtigercrm-developers mailing list