Tryton

The Foundation has decided to publish a budget for 2021. This is an exercise in transparency so everyone can see our plans. Note that the income of the foundation comes only from donations so we cannot guarantee that all the things ... [More] will get done. We have ordered the points by priority. Each point will be done once we get a total amount of donations. Budget points 1700€: Infrastructure maintenance (rental and services to maintain our servers). 2300€: Create a public overview of how all the current infrastructure is setup. 3100€: Buy a new Mac mini to support Apple Silicon 4300€: Improve the contents of the current website by writing more details about supported features and including more sucess stories. 7300€: Build a new code review system The amounts do not represent the amount needed for each individual point but the total amount of donations we need to be able to work on it. The cost of each point can be calculated by subtracting its amount from the amount of the previous point. If you want to help make these things happen please consider donating to the foundation. Any amount will be appreciated. We would also like to thank everyone who has already donated to the foundation. Last but not least, we would like to receive enough in donations to buy the Mac mini before the next Tryton release, scheduled for 3rd of May, so we can include support for new Apple devices. About maintenance and infrastructure cost If you have been following Tryton for some time you will have noticed that the maintenance budget has increased this year from 500€ to 1700€. The main reason for this is that we have agreed to also include all the services related to maintenance in this cost. Until now B2CK have been providing these services for free, but as it is a time consuming task, and sometimes needs to be done in a hurry when something isn’t working properly, we agreed that it should be paid. During this year, we are also relying on B2CK to provide the maintenance services, but our plan is to allow other companies to also offer these services. This will allow us to choose which one is best. For this reason we added the second point on the budget, which will allow everyone to have an overview of what needs to be maintained. 2 posts - 1 participant Read full topic [Less]

Jar filled with money labeled money640×560 120 KB The Foundation has decided to publish a budget for 2021. This is an exercise in transparency so everyone can see our plans. Note that the income of the foundation comes only from ... [More] donations so we cannot guarantee that all the things will get done. We have ordered the points by priority. Each point will be done once we get a total amount of donations. Budget points 1700€: Infrastructure maintenance (rental and services to maintain our servers). 2300€: Create a public overview of how all the current infrastructure is setup. 3100€: Buy a new Mac mini to support Apple Silicon 4300€: Improve the contents of the current website by writing more details about supported features and including more sucess stories. 7300€: Build a new code review system The amounts do not represent the amount needed for each individual point but the total amount of donations we need to be able to work on it. The cost of each point can be calculated by subtracting its amount from the amount of the previous point. If you want to help make these things happen please consider donating to the foundation. Any amount will be appreciated. We would also like to thank everyone who has already donated to the foundation. Last but not least, we would like to receive enough in donations to buy the Mac mini before the next Tryton release, scheduled for 3rd of May, so we can include support for new Apple devices. About maintenance and infrastructure cost If you have been following Tryton for some time you will have noticed that the maintenance budget has increased this year from 500€ to 1700€. The main reason for this is that we have agreed to also include all the services related to maintenance in this cost. Until now B2CK have been providing these services for free, but as it is a time consuming task, and sometimes needs to be done in a hurry when something isn’t working properly, we agreed that it should be paid. During this year, we are also relying on B2CK to provide the maintenance services, but our plan is to allow other companies to also offer these services. This will allow us to choose which one is best. For this reason we added the second point on the budget, which will allow everyone to have an overview of what needs to be maintained. 1 post - 1 participant Read full topic [Less]

Five Bulb Lights1280×853 97 KB Here’s a sneak peak at the improvements that landed during the last month. Changes for the User We now show the carrier on the shipment list so it’s possible to prioritize shipments based on the ... [More] carrier. We’ve added a wizard to make it easy to add lots to stock moves. The sequence to use for the lot number can be configured for each product. We ensure the unit prices for stock moves are up to date when their invoices are posted or their moves are done. The account move lines created by a statement now have the statement line as their origin. This makes it simpler to audit the accounts. We now use the menu path from which a window was opened as its name. We now warn the user when they try to post a statement with cancelled or paid invoices and then remove them from the statement. A delivery usage checkbox has been added to contact mechanisms just like for addresses. It can be used, for example, to indicate which email address to send notifications related to deliveries. The clients now display the revision on the dialog. This is useful, for example, when opening the party dialog from the invoice when the history is activated. This way the user can see from which date the information is displayed. It is easy to get lost when quickly opening consecutive dialog fields. To improve the situation, the clients now display breadcrumbs in the title showing the browsing path to the dialog. We’ve added the new identifiers from python-stdnum 1.15. We no longer create accounting moves for stock when the amount involved is 0. There is now a scheduled task that can be configured to fetch currency rates at a specific frequency. By default it gets the rates from the European Central Bank. New Modules Changes for the System Administrator We’ve added device cookie support to the clients. This allows these clients to not be affected by the brute force attack protection. Changes for the Developer It is now possible to send emails with different “FROM” addresses for the envelope and header. All the warnings can be skipped automatically by adding a single key named _skip_warnings to the context. We’ve added the trigonometric functions to the SQLite back-end. Any fields that are loaded eagerly are no longer instantiated automatically but instead the id is just stored in the cache. The instantiation is done only if the field is actually accessed. This improves the performance of some operations by up to 13%, but the actual improvements you can expect will depend a lot on of the number of fields the model has. It is now possible to define help text for each selection value. However, at the moment only the web client can display it. We made the ModelView.parse_view method public. This allows the XML that makes up the view to be modified by code before it is sent to the client. It is now possible to group the report renderings by header. As the OpenDocument format only supports a single header and footer definition, this feature renders a different file for each header and places them in a zip file if needed. This is used when rendering company related reports which display the company information in the header/footer. In order to simplify the dependencies in our web client, we replaced tempusdominus with the browser’s native input methods for types date, datetime-local and time when available. In order to make better use of the browse cache, the getter method of Function fields is called with cache sized groups of records. 2 posts - 1 participant Read full topic [Less]

Here’s a sneak peak at the improvements that landed during the last month. Changes for the User We now show the carrier on the shipment list so it’s possible to prioritize shipments based on the carrier. We’ve added a wizard to make ... [More] it easy to add lots to stock moves. The sequence to use for the lot number can be configured for each product. We ensure the unit prices for stock moves are up to date when their invoices are posted or their moves are done. The account move lines created by a statement now have the statement line as their origin. This makes it simpler to audit the accounts. We now use the menu path from which a window was opened as its name. We now warn the user when they try to post a statement with cancelled or paid invoices and then remove them from the statement. A delivery usage checkbox has been added to contact mechanisms just like for addresses. It can be used, for example, to indicate which email address to send notifications related to deliveries. The clients now display the revision on the dialog. This is useful, for example, when opening the party dialog from the invoice when the history is activated. This way the user can see from which date the information is displayed. It is easy to get lost when quickly opening consecutive dialog fields. To improve the situation, the clients now display breadcrumbs in the title showing the browsing path to the dialog. We’ve added the new identifiers from python-stdnum 1.15. We no longer create accounting moves for stock when the amount involved is 0. There is now a scheduled task that can be configured to fetch currency rates at a specific frequency. By default it gets the rates from the European Central Bank. New Modules Changes for the System Administrator We’ve added device cookie support to the clients. This allows these clients to not be affected by the brute force attack protection. Changes for the Developer It is now possible to send emails with different “FROM” addresses for the envelope and header. All the warnings can be skipped automatically by adding a single key named _skip_warnings to the context. We’ve added the trigonometric functions to the SQLite back-end. Any fields that are loaded eagerly are no longer instantiated automatically but instead the id is just stored in the cache. The instantiation is done only if the field is actually accessed. This improves the performance of some operations by up to 13%, but the actual improvements you can expect will depend a lot on of the number of fields the model has. It is now possible to define help text for each selection value. However, at the moment only the web client can display it. We made the ModelView.parse_view method public. This allows the XML that makes up the view to be modified by code before it is sent to the client. It is now possible to group the report renderings by header. As the OpenDocument format only supports a single header and footer definition, this feature renders a different file for each header and places them in a zip file if needed. This is used when rendering company related reports which display the company information in the header/footer. In order to simplify the dependencies in our web client, we replaced tempusdominus with the browser’s native input methods for types date, datetime-local and time when available. In order to make better use of the browse cache, the getter method of Function fields is called with cache sized groups of records. 2 posts - 1 participant Read full topic [Less]

Five Bulb Lights1280×853 97 KB Here’s a sneak peak at the improvements that landed during the last month. Changes for the User We now show the carrier on the shipment list so it’s possible to prioritize shipments based on the ... [More] carrier. We’ve added a wizard to make it easy to add lots to stock moves. The sequence to use for the lot number can be configured for each product. We ensure the unit prices for stock moves are up to date when their invoices are posted or their moves are done. The account move lines created by a statement now have the statement line as their origin. This makes it simpler to audit the accounts. We now use the menu path from which a window was opened as its name. We now warn the user when they try to post a statement with cancelled or paid invoices and then remove them from the statement. A delivery usage checkbox has been added to contact mechanisms just like for addresses. It can be used, for example, to indicate which email address to send notifications related to deliveries. The clients now display the revision on the dialog. This is useful, for example, when opening the party dialog from the invoice when the history is activated. This way the user can see from which date the information is displayed. It is easy to get lost when quickly opening consecutive dialog fields. To improve the situation, the clients now display breadcrumbs in the title showing the browsing path to the dialog. We’ve added the new identifiers from python-stdnum 1.15. We no longer create accounting moves for stock when the amount involved is 0. There is now a scheduled task that can be configured to fetch currency rates at a specific frequency. By default it gets the rates from the European Central Bank. New Modules Changes for the System Administrator We’ve added device cookie support to the clients. This allows these clients to not be affected by the brute force attack protection. Changes for the Developer It is now possible to send emails with different “FROM” addresses for the envelope and header. All the warnings can be skipped automatically by adding a single key named _skip_warnings to the context. We’ve added the trigonometric functions to the SQLite back-end. Any fields that are loaded eagerly are no longer instantiated automatically but instead the id is just stored in the cache. The instantiation is done only if the field is actually accessed. This improves the performance of some operations by up to 13%, but the actual improvements you can expect will depend a lot on of the number of fields the model has. It is now possible to define help text for each selection value. However, at the moment only the web client can display it. We made the ModelView.parse_view method public. This allows the XML that makes up the view to be modified by code before it is sent to the client. It is now possible to group the report renderings by header. As the OpenDocument format only supports a single header and footer definition, this feature renders a different file for each header and places them in a zip file if needed. This is used when rendering company related reports which display the company information in the header/footer. In order to simplify the dependencies in our web client, we replaced tempusdominus with the browser’s native input methods for types date, datetime-local and time when available. In order to make better use of the browse cache, the getter method of Function fields is called with cache sized groups of records. 1 post - 1 participant Read full topic [Less]

Synopsis A vulnerability in trytond has been found by German Dario Alvarez. With issue10068, the WSGI server does not prevent serving files outside the root directory. This allows an attacker to retrieve the content of files for which ... [More] the trytond user has read access. Impact CVSS v3.0 Base Score: 7.5 Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None Workaround It is possible to setup a reverse-proxy in front of trytond that sanitize the request path. Resolution All affected users should upgrade trytond to the latest version. Affected versions per series: 5.8: <= 5.8.3 5.6: <= 5.6.12 5.0: <=5.0.32 Non affected versions per series: 5.8: >= 5.8.4 5.6: >= 5.6.13 5.0: >=5.0.33 Reference Issue 10068: Directory loader can escape root directory - Tryton issue tracker Concern? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security. 2 posts - 1 participant Read full topic [Less]

Synopsis A vulnerability in trytond has been found by German Dario Alvarez. With issue10068, the WSGI server does not prevent serving files outside the root directory. This allows an attacker to retrieve the content of files for which ... [More] the trytond user has read access. Impact CVSS v3.0 Base Score: 7.5 Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None Workaround It is possible to setup a reverse-proxy in front of trytond that sanitize the request path. Resolution All affected users should upgrade trytond to the latest version. Affected versions per series: 5.8: <= 5.8.3 5.6: <= 5.6.12 5.0: <=5.0.32 Non affected versions per series: 5.8: >= 5.8.4 5.6: >= 5.6.13 5.0: >=5.0.33 Reference Issue 10068: Directory loader can escape root directory - Tryton issue tracker Concern? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security. 1 post - 1 participant Read full topic [Less]

Previously we worked hard to improve the user interface of our bug tracker. We are happy to announce that last month we added two new features to make it more user friendly: We now show the gravatar profile image for each user. We’ve ... [More] added the ability to link your bug tracker profile to your discuss one and your translate one. In order to make use of this feature we’d like to encourage everyone to set a gravatar for your email and also set the links to your profiles as shown in the following image: imatge733×106 9.63 KB Please give a like to this post to show that you like these new features. If you think there is something else that could be improved please create a new topic in the organization category. 3 posts - 1 participant Read full topic [Less]

Previously we worked hard to improve the user interface of our bug tracker. We are happy to announce that last month we added two new features to make it more user friendly: We now show the gravatar profile image for each user. We’ve ... [More] added the ability to link your bug tracker profile to your discuss one and your translate one. In order to make use of this feature we’d like to encourage everyone to set a gravatar for your email and also set the links to your profiles as shown in the following image: imatge733×106 9.63 KB Please give a like to this post to show that you like these new features. If you think there is something else that could be improved please create a new topic in the organization category. 5 posts - 3 participants Read full topic [Less]

Previously we worked hard to improve the user interface of our bug tracker. We are happy to announce that last month we added two new features to make it more user friendly: We now show the gravatar profile image for each user. We’ve ... [More] added the ability to link your bug tracker profile to your discuss one and your translate one. In order to make use of this feature we’d like to encourage everyone to set a gravatar for your email and also set the links to your profiles as shown in the following image: imatge733×106 9.63 KB Please give a like to this post to show that you like these new features. If you think there is something else that could be improved please create a new topic in the organization category. 1 post - 1 participant Read full topic [Less]