If we want to protect live sites from exploits of 0-days before they can be patched, I think we're better off adjusting our critical bug reporting procedures than locking down access to the report of the problem to a curated set of users.

Perhaps we keep the bug restricted to a trusted set of users until it's fixed, then once a fix is in place, we notify the community at large and make the issue open at that point?   We'd need to make maintenance of this list of trusted users something the community can agree to, and make membership to it accessible.


Ian

On Wed, Sep 25, 2019 at 11:40 AM Stephen Pampell <spampell@library.tamu.edu> wrote:
The instances of FOLIO running in production are not the only ones exposed to the internet.  I believe it to be unethical to allow those institutions (such as Texas A&M) to be kept in the dark while hosted instances get “fixed”. This is not how an OSS community works.

There needs to be a process by which we notify the community of security problems. And it can’t be one where we have 2 classes of organizations: one where you run on hosted instances and get patched immediately, and one where you self-host and get patches once the hosted instances are patched.

Stephen Pampell | Systems Administrator IV
Digital Initiatives | University Libraries

Tel. 979.458.5581 | Fax 979.845.6238

On Sep 25, 2019, at 10:26 AM, Robert Douglas <rld244@cornell.edu> wrote:

Ok thanks Peter.
 
 
I can't think of a way of summarizing it without giving away the exploit.  Given that we have a library in production now, I think it is prudent to wait until the issue is fully addressed.
 
 
Peter
 
-- 
Peter Murray
Open Source Community Advocate
Index Data, LLC
On Sep 25, 2019, 11:17 AM -0400, Robert Douglas <rld244@cornell.edu>, wrote:

Is there a description of the issue outside of Jira we can see? I’m not seeing it in this thread.
 
Thanks,
Robbie
 
 
Let's bounce this through Technical Council, too, to get a broader agreement.  I just mentioned it on the TC call.
 
 
Peter
 
--
Peter Murray
Open Source Community Advocate
Index Data, LLC

On Sep 25, 2019, 11:02 AM -0400, Harry Kaplanian <hkaplanian@ebsco.com>, wrote:

That is the concern.  But, I still believe this this group must know.
I’m compiling a list of people in Sys-Ops that should be in the “group” now…
 
 
CAUTION: External E-mail
 
Is the concern that, if we report 0-day flaws in JIRA tickets, bad actors can come along and make exploits before our community can react?
 
On Wed, Sep 25, 2019 at 10:03 AM Harry Kaplanian <hkaplanian@ebsco.com> wrote:
Peter,
we need a security level that includes the Sys-Ops group since they are hosting and testing with possibly real data at this point in time.  In the future as they host live, it will become critical that this group has access to this data so they can take appropriate actions when needed.
Who can create this group?
 
 
CAUTION: External E-mail
 
It is set to a Jira security level of "FOLIO Core Team", so that may be limiting who can see it.
 
 
Peter
 
--
Peter Murray
Open Source Community Advocate
Index Data, LLC

On Sep 25, 2019, 9:15 AM -0400, Stephen Pampell <spampell@library.tamu.edu>, wrote:

Interesting, I don’t have permission to view either of those issues.

Stephen Pampell | Systems Administrator IV
Digital Initiatives | University Libraries

Tel. 979.458.5581 | Fax 979.845.6238

 

On Sep 25, 2019, at 7:51 AM, Harry Kaplanian <hkaplanian@EBSCO.COM> wrote:
 
Hello Sys-Ops  SIG,
I’m sending this to the group as I know some of you are hosting and testing FOLIO instances and there is a chance you might be loading and using real user data.
Yesterday, during bug fest, a rather critical defect was found.  Please see:
 
The original posting is located here:
 
 
The good news is that a fix was deployed this morning and testing is ongoing.
Just in case any of you need to take precautions…
 
Harry
 
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
 

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.


 
--
Ian Walls
FOLIO Implementation Lead
pronouns: (he/him/his)
timezone: Eastern
 
<>

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.


------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://www.simplelists.com/confirm.php?u=5GMmGUsQ92cFBoyyrXpS6o7ZWLnTao9u.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.



--
Ian Walls
FOLIO Implementation Lead
pronouns: (he/him/his)
timezone: Eastern