Date
Attendees
Discussion items
Time | Item | Who | Notes |
---|---|---|---|
Process for vulnerability reporting and messaging | Heather | ||
Ilkay's idea for mapping issues and user stories | Heather | ||
Fedora 6 update and questions about forming a testing group | Heather | ||
Populating the roadmaps document with partners From last meeting discussion:
| Kate | ||
Codifying PO process | Kate | ||
Google shared drive | Heather | ||
New meeting day/time? | Jen |
Notes
- Process for vulnerability reporting and messaging
- We got a report of a vulnerability in Hyrax last week. What do we do with these? Process is roughly 1/2 documented. Heather reached out to Mike Giarlo regarding this, and she is picking up finishing this documentation.
- Partners are supposed to "get the alert 4 weeks ahead" – 4 weeks ahead of what? Why wait to tell everyone?
- The idea is to give some benefit to Samvera Partners. This is also a security issue if it goes to everyone on the list first. Everyone knows that their repo has a security hole in it first, so it makes sense to prioritize the Partners as implementers.
- As soon as we find out, we should let the Partners know about the vulnerability, and then let the PO can let them know when there is a patch.
- Another idea: keep the vulnerability sphere of knowledge small until we have a technical solution in place. If something requires a quiet fix before we can afford to be loud about it, we should delay it going out to the tech list, as the tech list is public. It would not be reasonable to put the burden of protection all onto one implementer to fix.
- Another idea: this should be taken on a case-by-case basis to determine how to safely roll out information.
- Path forward: send out to partners to reach out to their technical contacts, "this has been received." Send out to the relevant PO and Tech Lead as well, and ask them how they want to address it/parse out the information.