Versions Compared

Old Version 2

changes.mady.by.user Craig McNally

Saved on

compared with

New Version Current

changes.mady.by.user Craig McNally

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Date

...

TimeItemWhoNotes

Anything Urgent? Review the Kanban board?Team

Nothing in the expedite column.

We need to create a new dev Team in JIRA for the team responsible for edge-courses.


Hardcoded System User CredentialsTeam

From Julian in slack:

We still have modules that ship with default system users with hardcoded username and a hardcoded password. In all modules the sysop can configure a different username and a different password, however, it's possible that it's forgotten or that the config has a typo. GDPR requires security by default. A module should fail at startup when username or password configuration is missing. Then the user interface is forgiving and doesn't create an unintended security hole.

Notes:

  • Do JIRAs exist for the modules which still have default username/passwords? 
    • Not yet.
  • How many are we talking about here?  is it 1? 2? 8+?
    • Julian guesses it's probably around 8 or so.

Time Permitting

Board / Snyk configuration

Team

Suggestion from Jakub Skoczen last week was to drop mod-reservoir from the security board (possibly snyk too) since it isn't part of the Folio flower releases.  Are there any others we should consider as well?  Do we have a policy (or even an opinion) on this?  

  • Upon additional thinking, we feel that doing this would significantly reduce our visibility into security vulnerabilities in these modules.  Let's leave it as is for now, and if it becomes a problem we can revisit.
  • Julian Ladisch pointed out that if the project does adopt the application formalization approach currently being discussed, there's a chance that modules like this may be used as "extended" applications even if not formally part of a flower release.  Therefore we need to stay on top of vulnerably, etc.

Refresh token rotationTeam
  • Regarding the environment variable which allows the legacy endpoints to be disabled, what is the default behavior?  
    • The Security Team's recommendation is that the endpoints are disabled by default, but hosting providers/system-operators can enabled them if needed.
    • Craig McNally will raise this at the TC meeting next Monday.
  • The TC has agreed on a transition period where both legacy and new endpoints will co-exist.  There will be more conversation about which release removes the legacy endpoints altogether at the TC meeting on .

Update on Node 18 upgrade

John Coburn

Support period for the last LTS (16) was shortened, which means the need to move to node 18 has come sooner than anticipated.  See

Jira Legacy
serverSystem JIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyFOLIO-3870
for progress.  Almost all components have been updated, only a few remain.

Action items

  •