I don't quite understand this dispute. If SysOps SIG members can view the issue in JIRA immediately and get notified, then also the institutions who don't run production instances can view the issue, as long as they have one member in SysOps SIG (which most have, and if not they can send one).

I agree to Ian's procedure from Koha, that the community shall be notified to install the latest updates to their current version, as soon as the security bug is fixed.

- Ingolf

      

>>> Tod Olson <tod@uchicago.edu> 25.09.2019 18:27 >>>
I'm on TC, we expect to be hosted for production, but are self-hosting some local test boxen.

-Tod

On Sep 25, 2019, at 11:18 AM, Stephen Pampell <spampell@library.tamu.edu> wrote:

Who on TC is affiliated with an institution that is self-hosting?

Stephen Pampell | Systems Administrator IV
Digital Initiatives | University Libraries

Tel. 979.458.5581 | Fax 979.845.6238

On Sep 25, 2019, at 11:13 AM, Wayne Schneider <wayne@indexdata.com> wrote:

It does sound like the technical council has already been asked to address this. I believe the TC has strong representation from both "hosted" and "self-hosting" community members, doesn't it? I think this is the first "0-day" potential exploit that has been reported, so perhaps we should step back a little bit and work with the community to come up with a solid set of policies and procedures before jumping to the conclusion that anyone is trying to hide information to the advantage of hosting providers.

Are there other examples of 0-day exploit reporting policies from other OSS communities that might serve as useful models? That might be something we could look at as a SIG, to provide input to the tech council.

   wayne

On Wed, Sep 25, 2019 at 10:46 AM Ian Walls <ian@bywatersolutions.com> wrote:
If we want to protect live sites from exploits of 0-days before they can be patched, I think we're better off adjusting our critical bug reporting procedures than locking down access to the report of the problem to a curated set of users.

Perhaps we keep the bug restricted to a trusted set of users until it's fixed, then once a fix is in place, we notify the community at large and make the issue open at that point?   We'd need to make maintenance of this list of trusted users something the community can agree to, and make membership to it accessible.


Ian

On Wed, Sep 25, 2019 at 11:40 AM Stephen Pampell <spampell@library.tamu.edu> wrote:
The instances of FOLIO running in production are not the only ones exposed to the internet.  I believe it to be unethical to allow those institutions (such as Texas A&M) to be kept in the dark while hosted instances get “fixed”. This is not how an OSS community works.

There needs to be a process by which we notify the community of security problems. And it can’t be one where we have 2 classes of organizations: one where you run on hosted instances and get patched immediately, and one where you self-host and get patches once the hosted instances are patched.

Stephen Pampell | Systems Administrator IV
Digital Initiatives | University Libraries

Tel. 979.458.5581 | Fax 979.845.6238

On Sep 25, 2019, at 10:26 AM, Robert Douglas <rld244@cornell.edu> wrote:

Ok thanks Peter.
 
 
I can't think of a way of summarizing it without giving away the exploit.  Given that we have a library in production now, I think it is prudent to wait until the issue is fully addressed.
 
 
Peter
 
-- 
Peter Murray
Open Source Community Advocate
Index Data, LLC
On Sep 25, 2019, 11:17 AM -0400, Robert Douglas <rld244@cornell.edu>, wrote:

Is there a description of the issue outside of Jira we can see? I’m not seeing it in this thread.
 
Thanks,
Robbie
 
 
Let's bounce this through Technical Council, too, to get a broader agreement.  I just mentioned it on the TC call.
 
 
Peter
 
--
Peter Murray
Open Source Community Advocate
Index Data, LLC
On Sep 25, 2019, 11:02 AM -0400, Harry Kaplanian <hkaplanian@ebsco.com>, wrote:
That is the concern.  But, I still believe this this group must know.
I’m compiling a list of people in Sys-Ops that should be in the “group” now…
 
 
CAUTION: External E-mail
 
Is the concern that, if we report 0-day flaws in JIRA tickets, bad actors can come along and make exploits before our community can react?
 
On Wed, Sep 25, 2019 at 10:03 AM Harry Kaplanian <hkaplanian@ebsco.com> wrote:
Peter,
we need a security level that includes the Sys-Ops group since they are hosting and testing with possibly real data at this point in time.  In the future as they host live, it will become critical that this group has access to this data so they can take appropriate actions when needed.
Who can create this group?
 
 
CAUTION: External E-mail
 
It is set to a Jira security level of "FOLIO Core Team", so that may be limiting who can see it.
 
 
Peter
 
--
Peter Murray
Open Source Community Advocate
Index Data, LLC
On Sep 25, 2019, 9:15 AM -0400, Stephen Pampell <spampell@library.tamu.edu>, wrote:
Interesting, I don’t have permission to view either of those issues.

Stephen Pampell | Systems Administrator IV
Digital Initiatives | University Libraries

Tel. 979.458.5581 | Fax 979.845.6238
 
On Sep 25, 2019, at 7:51 AM, Harry Kaplanian <hkaplanian@EBSCO.COM> wrote:
 
Hello Sys-Ops  SIG,
I’m sending this to the group as I know some of you are hosting and testing FOLIO instances and there is a chance you might be loading and using real user data.
Yesterday, during bug fest, a rather critical defect was found.  Please see:
 
The original posting is located here:
 
 
The good news is that a fix was deployed this morning and testing is ongoing.
Just in case any of you need to take precautions…
 
Harry
 
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
 
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

 
--
Ian Walls
FOLIO Implementation Lead
pronouns: (he/him/his)
timezone: Eastern
 
<>
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.


--
Ian Walls
FOLIO Implementation Lead
pronouns: (he/him/his)
timezone: Eastern


------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.
------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://archives.simplelists.com.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.

------------------------------------------------------
You received this message because you are subscribed to OLE Mailing List
"sysops-sig".
To unsubscribe from this list and stop receiving emails from it, follow
this link: http://www.simplelists.com/confirm.php?u=KYIsz7p1siM0gUzhMUY9o9tp6etcrnId.
To post to this group, send email to
sysops-sig@ole-lists.openlibraryfoundation.org
<mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
Visit this group at
https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
.