2024-11-21 Meeting notes
Date
Attendees
Name | Present | Planned Absences |
---|---|---|
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Kevin Day | Yes | |
Jens Heinrich | Yes |
Discussion items
Time | Item | Who | Notes |
---|---|---|---|
5 min? | Issue tagging idea | Jens Heinrich | Idea: Have a Tag
|
5 min | Proxy for Dev-Setup | John + Team |
Today:
|
0 min | Jira Group and Security Level review | Team | From Craig in slack:
Today:
|
0 min | - SECURITY-177Getting issue details... STATUS - SECURITY-182Getting issue details... STATUS - SECURITY-189Getting issue details... STATUS | Team | Do we need to backport these fixes to Q? If so, it will need to go into CSP6
Today: |
- | Policy for deprecating and eventulaly removing unsupported code | Team | The idea is to draft a proposal policy for this and run it by the TC for approval... "mod-foo has known security vulnerabilities which are high/critical and have not been addressed in N months. If these aren't addressed within N months the repository will be archived" Something like that...
Jens Heinrich will work on a draft. ``` Introduction This proposal outlines a policy for the deprecation of FOLIO modules outside of the official supported set that are identified to have severe security vulnerabilities and have not been updated in the last three months despite being informed by the Security WG. The objective of this policy is to maintain the overall security and integrity of the FOLIO ecosystem. 1. Objectives Enhance Security: To mitigate risks associated with unaddressed vulnerabilities, ensuring the safety of the FOLIO project. 2. Pre-deprecation steps To ensure developers have a reasonable amount of time to fix the vulnerability a three month period is started after the developers have been privately notified by the Security WG. If the notification is not acknowledged within on month, the deprecation process starts one month after the notification. 3. Deprecation Steps after the grace time has expired Notification: Deprecation Announcement: Module Removal: 4. Exceptions Modules that are part of a larger, ongoing development project with a clear and communicated timeline for resolution may be exempt from immediate deprecation. 5. Conclusion The proposed deprecation policy aims to create a safer ecosystem for all FOLIO users by addressing severe security vulnerabilities in a timely and organized manner. By implementing this policy, we can ensure that the FOLIO platform remains robust, secure, and adaptable to the evolving security landscape. |
* | Anything Urgent? Under Review Filter: Getting issues... | Team |
|
Topic Backlog | |||
Time permitting | Advice for handling of sensitive banking information | Team | From slack conversation, I think I've gathered the following:
Let's review and discuss before providing this feedback to Raman. Axel Dörrer also suggested that defining classes of sensitivity could help teams determine which techniques are applicable in various situations. I agree having some general guidelines on this would be helpful.
It would probably help to provide concrete examples of data in each class. This can be a longer term effort, we don't need to sort out all the details today.
Today: Axel Dörrer to do a first draft as a base for further discussions |
Status on pentesting works within Network traffic control group | Due to some absences on different reasons the group stalled. Axel will try to reactivate the group. | ||
Okapi Debian Package - FOLIO-3896Getting issue details... STATUS |
|