Sys Ops SIG meets tomorrow, 10 AM EST (9 AM CST, 4 PM CET; 2 PM UTC)
Ingolf Kuss
(18 Jul 2019 12:46 EDT)
|
Re: Sys Ops SIG meets tomorrow, 10 AM EST (9 AM CST, 4 PM CET; 2 PM UTC)
Harry Kaplanian
(18 Jul 2019 13:51 EDT)
|
Re: Sys Ops SIG meets tomorrow, 10 AM EST (9 AM CST, 4 PM CET; 2 PM UTC)
Ian Walls
(18 Jul 2019 15:22 EDT)
|
Re: Sys Ops SIG meets tomorrow, 10 AM EST (9 AM CST, 4 PM CET; 2 PM UTC) Drexl, Johannes (19 Jul 2019 09:37 EDT)
|
Hi everyone, as Wayne and myself had a small talk yesterday about the security of the current software build chain in Folio, and today this topic was covered in a hackers blog in Germany, I've translated the article (with Googles helping hand) and put it down there for everyone to read. Just so you know: This is by no means a FOLIO problem, it's a common software problem with every software build with the current understanding of 'agile' methods: # Fefe's blog - https://blog.fefe.de/?ts=a3cf6498 >>>>> # A Devsecops propaganda wave is currently rolling across the country. Let me make one thing clear: Devsecops does not create secure software. With Devsecops software is created that is too volatile, and where the developers are too overloaded and distracted to be even able to make statements about security. The whole idea is ridiculous! Imagine somebody wanted to sell you a safe. And that did not come about on the basis of planning by competent experts and implementation according to plan, but was fumbled together by a few "retrained" ("the actual training comes later, atm we have a deadline") low-wage jobbers recruited from the web-botcher multimedia- shithole environment. And they say: Yeah, we did not have a plan, but we've always done a nice job!!1! Would you trust such a safe with your valuables? OF COURSE NOT! I meanwhile represent the thesis that one should not talk about the security of code, but the metric should be whether the security is not only there but obviously measurable (ie not "nobody has reported bugs" but you look at the code and see that it is obviously safe and secure). That's one half. The other half is that you have a design that minimizes the impact of bugs. Devsecops is marketing bullshit of people who want to tell you that their dysfunctional multi-stakeholder team is somehow still able to deliver good code, although none of them can cover the range of skills attributed to the team, nor does the product have a thought-out design, and even if there were any design rudiments they'd be thrown away and rescheduled in the short-term, if anyone feels it's necessary. That's no way to good products. That's exactly the way to get a Boeing 737 Max. In other words, security is not something you retrofit. Not even in a process that makes retrofitting as easy as possible. Security is something that you think about before. # <<<<< Fefe's Blog # About Fefe: Felix von Leitner is a software engineer specialized on IT security and a prominent yet polarizing figure in Germanys hacker scene. He's an advocate against bloatware and antivirus software (he calls them snakeoil), as it opens quite a lot of security holes while only closing some which could be entirely avoided with sensible permission management. His blog is frequently cited by IT newspapers and covers IT security, political content (mostly internet, domestic and economic) and MINT science topics. It runs on a self-developed small webserver named gatling, tinyldap and only serves pure HTML. Fefe is also famous for his dietlibc. Some people joke he's one of the few guys who's munching Linux Kernel code for breakfast. https://en.wikipedia.org/wiki/Felix_von_Leitner That doesn't mean EBSCO does a shitty job. It just sheds light on the state of currently developed software and the problems we as sysops will have with that approach in the future (and for that matter already have with quite a lot of stuff, e. g. mongodb in AWS environments). -- Viele Grüße Jo -------------- Drexl Johannes Leibniz-Rechenzentrum der Bayerischen Akademie der Wissenschaften Boltzmannstraße 1 85748 Garching Benutzersekretariat-Tel.: 089-35831-8000 Servicedesk-Tel.: 089-35831-8800 Am Donnerstag, den 18.07.2019, 15:22 -0400 schrieb Ian Walls: > I've got to drop by the Community Outreach SIG tomorrow at the same > time.... will check the notes and get caught up for next week's > meeting. > > Cheers, > > > Ian > > On Thu, Jul 18, 2019 at 1:52 PM Harry Kaplanian <hkaplanian@ebsco.com > > wrote: > > Hello everyone, > > I will not be able to attend tomorrow’s meeting. > > Looking forward to talk to all of you next week. > > > > Harry > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on behalf of > > Ingolf Kuss <KUSS@hbz-nrw.de> > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops- > > sig@ole-lists.openlibraryfoundation.org> > > Date: Thursday, July 18, 2019 at 12:47 PM > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" <sysops-sig@ol > > e-lists.openlibraryfoundation.org> > > Subject: Sys Ops SIG meets tomorrow, 10 AM EST (9 AM CST, 4 PM CET; > > 2 PM UTC) > > > > CAUTION: External E-mail > > > > Hi all, > > > > we meet tomorrow at the regular time, 10 A.M. Eastern. > > > > Let's prioritize topics for the next sessions. I have heard that > > integrations prerequisites need to be picked up by us in order to > > influence development priorities. If you have any new requirements > > for integrations for your institution please consider to report > > them to the group tomorrow. > > > > We will also follow up on the security issues. > > > > Here is the agenda: https://wiki.folio.org/display/SYSOPS/2019-07-1 > > 9+-+System+Operations+and+Management+SIG+Agenda+and+Notes > > > > I hope to meet you tomorrow, > > > > Ingolf > > > > > > ---------------------------- > > > > Here are as usual the connection details: > > Meetings are held on Fridays at 10:00am Eastern U.S. time. A > > Meeting will last 1 hour. > > Please join us via Zoom: > > Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/5919342 > > 20 > > Or iPhone one-tap (US Toll): +16465588656,591934220# or > > +14086380968,591934220# > > Or Telephone: > > Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll) > > Meeting ID: 591 934 220 > > International numbers available: https://zoom.us/zoomconference?m=U > > z8gOxV-yqHRNcWlZKa4trK_0dP7WPfp > > > > > > > > Dr. Ingolf Kuss > > hbz - Hochschulbibliothekszentrum NRW > > Postfach 270451 > > 50510 Köln > > Germany > > Tel.: (+49) (0) 221 400 75-161 > > e-mail: kuss@hbz-nrw.de > > www.hbz-nrw.de > > ------------------------------------------ > > > > > > > > > > Dr. Ingolf Kuss > > hbz - Hochschulbibliothekszentrum NRW > > Postfach 270451 > > 50510 Köln > > Tel.: (+49) (0) 221 400 75-161 > > e-mail: kuss@hbz-nrw.de > > www.hbz-nrw.de > > ------------------------------------------ > > > > > > > > > > ------------------------------------------------------ > > You received this message because you are subscribed to OLE Mailing > > List > > "sysops-sig". > > To unsubscribe from this list and stop receiving emails from it, > > follow > > this link: http://archives.simplelists.com. > > To post to this group, send email to > > sysops-sig@ole-lists.openlibraryfoundation.org > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > Visit this group at > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openl > > ibraryfoundation.org>; > > . > > ------------------------------------------------------ > > You received this message because you are subscribed to OLE Mailing > > List > > "sysops-sig". > > To unsubscribe from this list and stop receiving emails from it, > > follow > > this link: http://archives.simplelists.com. > > To post to this group, send email to > > sysops-sig@ole-lists.openlibraryfoundation.org > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > > Visit this group at > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openl > > ibraryfoundation.org>; > > . > > > > > -- > Ian Walls > FOLIO Implementation Lead > ByWater Solutions > Phone: (888) 900-8944 > pronouns: (he/him/his) > timezone: Eastern > >  > ------------------------------------------------------ > You received this message because you are subscribed to OLE Mailing > List > "sysops-sig". > To unsubscribe from this list and stop receiving emails from it, > follow > this link: http://www.simplelists.com/confirm.php?u=xOeiObKwZgKzzxNXG > LMSHPWP6w4wQyXt. > To post to this group, send email to > sysops-sig@ole-lists.openlibraryfoundation.org > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>. > Visit this group at > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlib > raryfoundation.org>; > .