Versions Compared

Old Version 1

changes.mady.by.user Craig McNally

Saved on

compared with

New Version 2

changes.mady.by.user Craig McNally

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Date

...

NamePresent

Craig McNally 

Y
Julian Ladisch 
Y

Axel Dörrer 


Ryan Berger 

Chris Rutledge 


Jakub Skoczen 


John Coburn 
Y

Skott Klebe Jens Heinrich 




Discussion items

TimeItemWhoNotes

Anything Urgent? Review the Kanban board?Team

Nothing in the expedite column.

We need to create a new dev Team in JIRA for the team responsible for edge-courses.


Hardcoded System User CredentialsTeam

From Julian in slack:

We still have modules that ship with default system users with hardcoded username and a hardcoded password. In all modules the sysop can configure a different username and a different password, however, it's possible that it's forgotten or that the config has a typo. GDPR requires security by default. A module should fail at startup when username or password configuration is missing. Then the user interface is forgiving and doesn't create an unintended security hole.

Notes:

  • Do JIRAs exist for the modules which still have default username/passwords? 
    • Not yet.
  • How many are we talking about here?  is it 1? 2? 8+?
    • Julian guesses it's probably around 8 or so.
Time Permitting

Board / Snyk configuration

Team

Suggestion from Jakub Skoczen last week was to drop mod-reservoir from the security board (possibly snyk too) since it isn't part of the Folio flower releases.  Are there any others we should consider as well?  Do we have a policy (or even an opinion) on this?  

  • Upon additional thinking, we feel that doing this would significantly reduce our visibility into security vulnerabilities in these modules.  Let's leave it as is for now, and if it becomes a problem we can revisit.
  • Julian Ladisch pointed out that if the project does adopt the application formalization approach currently being discussed, there's a chance that modules like this may be used as "extended" applications even if not formally part of a flower release.  Therefore we need to stay on top of vulnerably, etc.




Action items

  •