If we want to protect live sites from exploits of 0-days before they can be patched, I think we're better off adjusting our critical bug reporting procedures than locking down access to the report of the problem to a curated set of users.Perhaps we keep the bug restricted to a trusted set of users until it's fixed, then once a fix is in place, we notify the community at large and make the issue open at that point? We'd need to make maintenance of this list of trusted users something the community can agree to, and make membership to it accessible.IanOn Wed, Sep 25, 2019 at 11:40 AM Stephen Pampell <spampell@library.tamu.edu> wrote:The instances of FOLIO running in production are not the only ones exposed to the internet. I believe it to be unethical to allow those institutions (such as Texas A&M) to be kept in the dark while hosted instances get “fixed”. This is not how an OSS community works.
There needs to be a process by which we notify the community of security problems. And it can’t be one where we have 2 classes of organizations: one where you run on hosted instances and get patched immediately, and one where you self-host and get patches once the hosted instances are patched.
Stephen Pampell | Systems Administrator IV
Digital Initiatives | University Libraries
Tel. 979.458.5581 | Fax 979.845.6238
On Sep 25, 2019, at 10:26 AM, Robert Douglas <rld244@cornell.edu> wrote:
Ok thanks Peter.From: <sysops-sig@ole-lists.openlibraryfoundation.org> on behalf of Peter Murray <peter@indexdata.com>
Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Date: Wednesday, September 25, 2019 at 11:25 AM
To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Subject: Re: Important defectI can't think of a way of summarizing it without giving away the exploit. Given that we have a library in production now, I think it is prudent to wait until the issue is fully addressed.Peter--Peter MurrayOpen Source Community AdvocateIndex Data, LLCIs there a description of the issue outside of Jira we can see? I’m not seeing it in this thread.Thanks,RobbieFrom: <sysops-sig@ole-lists.openlibraryfoundation.org> on behalf of Peter Murray <peter@indexdata.com>
Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Date: Wednesday, September 25, 2019 at 11:06 AM
To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>, "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Subject: Re: Important defectLet's bounce this through Technical Council, too, to get a broader agreement. I just mentioned it on the TC call.Peter--Peter MurrayOpen Source Community AdvocateIndex Data, LLCOn Sep 25, 2019, 11:02 AM -0400, Harry Kaplanian <hkaplanian@ebsco.com>, wrote:
That is the concern. But, I still believe this this group must know.I’m compiling a list of people in Sys-Ops that should be in the “group” now…From: <sysops-sig@ole-lists.openlibraryfoundation.org> on behalf of Ian Walls <ian@bywatersolutions.com>
Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Date: Wednesday, September 25, 2019 at 10:25 AM
To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Subject: Re: Important defectCAUTION: External E-mailIs the concern that, if we report 0-day flaws in JIRA tickets, bad actors can come along and make exploits before our community can react?On Wed, Sep 25, 2019 at 10:03 AM Harry Kaplanian <hkaplanian@ebsco.com> wrote:Peter,we need a security level that includes the Sys-Ops group since they are hosting and testing with possibly real data at this point in time. In the future as they host live, it will become critical that this group has access to this data so they can take appropriate actions when needed.Who can create this group?From: <sysops-sig@ole-lists.openlibraryfoundation.org> on behalf of Peter Murray <peter@indexdata.com>
Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Date: Wednesday, September 25, 2019 at 9:51 AM
To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ole-lists.openlibraryfoundation.org>
Subject: Re: Important defectCAUTION: External E-mailIt is set to a Jira security level of "FOLIO Core Team", so that may be limiting who can see it.Peter--Peter MurrayOpen Source Community AdvocateIndex Data, LLCOn Sep 25, 2019, 9:15 AM -0400, Stephen Pampell <spampell@library.tamu.edu>, wrote:
Interesting, I don’t have permission to view either of those issues.
Stephen Pampell | Systems Administrator IV
Digital Initiatives | University Libraries
Tel. 979.458.5581 | Fax 979.845.6238
On Sep 25, 2019, at 7:51 AM, Harry Kaplanian <hkaplanian@EBSCO.COM> wrote:Hello Sys-Ops SIG,I’m sending this to the group as I know some of you are hosting and testing FOLIO instances and there is a chance you might be loading and using real user data.Yesterday, during bug fest, a rather critical defect was found. Please see:The original posting is located here:The good news is that a fix was deployed this morning and testing is ongoing.Just in case any of you need to take precautions…Harry------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
--Ian WallsFOLIO Implementation LeadPhone: (888) 900-8944pronouns: (he/him/his)timezone: Eastern<>------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.--Ian WallsFOLIO Implementation Leadpronouns: (he/him/his)timezone: Eastern------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://www.simplelists.com/confirm.php?u=bgv2YVoyMpb9D89f2mzNI9NI2aBKg46q.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.