2023-02-02 Meeting notes
Date
Attendees
Name | Present |
---|---|
Y | |
Y | |
Y | |
Y | |
Y | |
Y | |
Discussion items
Time | Item | Who | Notes |
---|---|---|---|
1 min | Kafka security | Team | The topic of Kafka security was raised as part of a conversation at the TC yesterday. The Security Team should be aware of this and probably should weigh in on the topic, or even generate proposals if we have ideas for how to solve the problem.
Today:
|
1 min | OWASP/SNYK | Team |
Today:
|
1 min | Cumulative upload problem | Team |
Today:
|
1 min | STCOR-395 "refactor login form to avoid using any form framework whatsoever" | All |
Today: |
1 min | Spring versions and the Official Supported Technologies pages | I've added versions for the Spring components to the Officially Supported Technologies list. For Orchid it's easy: https://folio-org.atlassian.net/wiki/display/TC/OrchidFor Nolana it's more complicated: https://folio-org.atlassian.net/wiki/display/TC/NolanaThe OSS support of several Spring components ends in May 2023. This is more than three months before the end of the Nolana support period that end in August or September 2023. The next minor version of those Spring components will be released in November 2022, this is during Nolana bug fest. We need to bump to this next minor version and release a bug fix for all affected FOLIO Spring libraries and FOLIO modules in November 2022.Running unsupported Spring components is a security risk. If there is a security issue in a supported Spring component we simply can bump the patch version, no risk. If there is a security issue in an unsupported Spring component we don't get notified because it's unsupported, and if we know of an issue we need to bump the minor version, this comes with some risk. Bumping the minor version as early as possible gives more testing time and is less risky. We can discuss this today.
Today:
shows good progress to be in time for Orchid and Nolana backport:
| |
5-10 min | MODEXPS-186 | Julian/Team | MODEXPS-186 "Describe way how to check dependency vulnerabilities during RMB versions upgrade" reads: Purpose/Overview: We need to increase version of dependencies that have vulnerabilities during RMB versions upgrade
Today:
|
1 min | Logging & Personal Data | Craig/Team | A developer recently reached to me asking if the security team or TC has guidance or rules in place for logging of personal data. Some guidelines are documented on the wiki, but I'm wondering if it's worth making some clarifications and creating a draft decision record for the TC to formally endorse Is this even in our purview? Should we seek input from the Privacy SIG? Should I raise this with the TC first? Next steps:
|
* | Review the Kanban board. | Team | Julian Ladisch to discuss the outstanding ERM issues (no movement since Nov). |
Time permitting | Cyber Resilience Act | Team | I raised this with the TC but we should also be aware... https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act |
Action items
- Craig McNally to create a spike in JIRA for investigating how to fine tune Snyk to better suit our needs