/
2023-10-12 Meeting notes

2023-10-12 Meeting notes

Oct 12, 2023

Date

Oct 12, 2023

Attendees

Name

Present

planned
absences

Name

Present

planned
absences

@Craig McNally 

Y

 

@Julian Ladisch 

Y

Oct 19, 26th

@Axel Dörrer 

 

Oct 12th & 26th

@Ryan Berger 

 

 

@Chris Rutledge 

 

 

@Jakub Skoczen 

 

 

@John Coburn 

 

 

@Skott Klebe 

 

 

 

 

 

Discussion items

Time

Item

Who

Notes

Time

Item

Who

Notes

?

Anything Urgent? Review the Kanban board?

Team

  • ... 

?

Hardcoded System User Credentials

Team

From Julian in slack:

We still have modules that ship with default system users with hardcoded username and a hardcoded password. In all modules the sysop can configure a different username and a different password, however, it's possible that it's forgotten or that the config has a typo. GDPR requires security by default. A module should fail at startup when username or password configuration is missing. Then the user interface is forgiving and doesn't create an unintended security hole.

Notes:

  • Do JIRAs exist for the modules which still have default username/passwords? 

    • Not yet.

  • How many are we talking about here?  is it 1? 2? 8+?

    • Julian guesses it's probably around 8 or so.

  • Axel volunteered to help file some of these.

Updates:

  • 6 issues were filed by @Axel Dörrer:

    • mod-pubsub

    • mod-search

    • mod-entities-links

    • mod-consortia

    • mod-inn-reach

    • mod-dcb

-

New Critical issues identified by Snyk

Team

mod-serials-management has two critical issues:

there's also a high:

We probably want to create JIRAs for these.  The MODSER JIRA project is applicable here, and they should be assigned to the K-Int team.

NOTE:  I don't think this is part of a flower release yet, and will not be part of Poppy, so not stop the world critical at this point, but will ne nice to have these filed.

Action items