What are the security risks from community modules?
Assuming a testing instance of OpenERP, separate from the production instance, running on a relatively secure OS such as Ubuntu then how much harm could a malicious community module do to the server? Could it delete data? Upgrade access privilege?
When testing a module, what level of isolation is prudent without being paranoid?
Level 1: Separate database on the same instance as the production database
Level 2: Separate instance from the production instance but on the same server
Level 3: Separate OS, such as a virtual machine from the production server.
What about modules with hidden purposes? For example, there are apps on Google play that do what they claim but also hide another purpose such as stealing information.
↧