Installing PrestaShop and OpenCart were both very simple, the one thing I found interesting about PrestShop was their last install instruction – to rename the “admin” directory to a random string, effectively serving as a password. Smart! Since Open Cart did not make this suggestion, I wonder whether doing so would break the installation, ie are the paths in the files able to detect what directory they are inside of, and update themselves? I am going to guess not, but I will try it anyway and see.

Worryingly, I came across a really interesting blog post about Security with Open Cart. A security researcher named Ben Maynard found a vulnerability in Open Cart, which would allow an attacker to create an admin user account, if he was able to get the real admin to click on a link while logged in to his admin section.

He notified Daniel, the lead programmer/founder of OpenCart of the vulnerability, and the response demonstrated a concerning lack of interest for the possible compromise in security. The correspondence listed above is worth the read.

Daniel eventually fixed the security issue in the next release of OpenCart as detailed in the comments thread of this post, without ever thanking Ben for his analysis. Furthermore, a link posted to a thread in OpenCart’s forum from that same blog post comment thread shows Daniel absolutely belittling another programmer who reviewed Open Cart’s code and concluded that there was room for improvement.

That doesn’t sit well with me. If someone takes the time to evaluate your work, you owe them the minimum of respect for their time. Daniel calls this coder an idiot multiple times, it’s painful to read. OK, I get that you are stretched tight for time, you get criticism all the time, and you are uniquely situated wrt to the code to know when someone’s comments are not true, or are obsolete in terms of the roadmap/current betas, etc. But that doesn’t give you license to attack someone else. I guess the idea of “Open” hasn’t quite registered.

Speaking of criticism, that is something of a vulnerability for the Open Cart project as a whole – with one programmer who doesn’t exactly welcome feedback or collaboration, one has to wonder about the stability of the project. One cannot question the pace of releases, however, Daniel does seem to be very committed to improvements. I guess I will let the software speak for itself, even though I am probably a bad judge because I can’t even really understand the code itself, given my level of understanding. I’m still going to invest time in the app, even though I’m now concerned that I could be investing in a dead end. Why? An individual can only take a complex project so far. Daniel needs to branch out. If it’s control he seeks, then he needs to change his business model to increase revenue to hire coders, instead of collaborating with them, which he seems to be unwilling to do. That way, he will retain control over how the project is executed, but at least it’s no longer simply one individual, which does not inspire confidence. An individual can incubate, prove the concept, tinker, launch, and iterate. But real growth is beyond one person.


© 2011 'Tis Educational Suffusion theme by Sayontan Sinha