[OPEN-ILS-DEV] Questions about security bugs/process

Justin Hopkins justin at mobiusconsortium.org
Wed Mar 4 14:01:32 EST 2015


Thanks for bringing this up Kathy. I'll +1 everything you've said so 
far. Like Jeff/Sitka, MOBIUS would be willing to commit resources to 
creating patches/signoffs for these highly critical issues.

Justin

On 3/4/15 12:42 PM, Jeff Davis wrote:
> On 15-03-04 07:46 AM, Kathy Lussier wrote:
>> I really think we need to increase the transparency of these bugs
>> without compromising the security of our systems in the process. Any
>> site running Evergreen in a production environment should have a right
>> to know when a known security bugs affects their system, especially
>> when it comes to those bugs that have been left unresolved for many
>> months.  Maybe we could allow one trusted person from each site
>> subscribe to security bugs or maybe there are other methods for
>> sharing this information for Evergreen sites.
> Thanks for raising this, Kathy.  It's been on my mind as well.  For
> Sitka, it would certainly be helpful to have more awareness of issues
> that are known to the security team.  In our case, we'd be very
> willing to devote some resources to help resolve security issues more
> quickly, by writing code or by testing/signing off on fixes prior to
> release.  That might be helpful if there is a backlog of security
> issues that have been reported but not resolved.  But not all
> production Evergreen sites necessarily have the resources to
> contribute in those ways.
>
> And thanks very much to everyone involved in getting those fixes out!



More information about the Open-ils-dev mailing list