[OPEN-ILS-DEV] Questions about security bugs/process

[Jeff Davis]

On 15-03-04 07:46 AM, Kathy Lussier wrote:
> I really think we need to increase the transparency of these bugs
> without compromising the security of our systems in the process. Any
> site running Evergreen in a production environment should have a right
> to know when a known security bugs affects their system, especially
> when it comes to those bugs that have been left unresolved for many
> months.  Maybe we could allow one trusted person from each site
> subscribe to security bugs or maybe there are other methods for
> sharing this information for Evergreen sites.

Thanks for raising this, Kathy.  It's been on my mind as well.  For
Sitka, it would certainly be helpful to have more awareness of issues
that are known to the security team.  In our case, we'd be very
willing to devote some resources to help resolve security issues more
quickly, by writing code or by testing/signing off on fixes prior to
release.  That might be helpful if there is a backlog of security
issues that have been reported but not resolved.  But not all
production Evergreen sites necessarily have the resources to
contribute in those ways.

And thanks very much to everyone involved in getting those fixes out!
-- 
Jeff Davis
Lead Evergreen Specialist
BC Libraries Cooperative