-
Notifications
You must be signed in to change notification settings - Fork 2
TAG: August 10, 2022
Zoom link: https://us02web.zoom.us/j/968367412
Host key can be found in the description of the TAG Slack channel.
- Willow Gillingham
- Amy Blau
- Luke Taylor
- Don Richards
- Isabella Nikolaidis
- Security Workflow
- possibly opening TAG channel to emails
- Who is a part of the security group?
- Update https://github.com/islandora-interest-groups/Islandora-Security-Interest-Group/wiki/Disclosure-Policy
- This needs to go somewhere else more front-facing
-
Security Workflow
- Luke: Due to the nature of it, didn't feel it was appropriate to post publicly anywhere
- When security issues come up there needs to be some sort of back channel to get a plan together so it can be released in a way where we have fix, fix merged, advisory put together
- Once upon a time there was a security email - should we revive that and have a policy to say that if you have a security issues or vulnerabilities and you'd like to bring it to the foudnation's email here
- Don: We have a disclosure process but the documentation for it is in an interest group that is no longer
- https://github.com/islandora-interest-groups/Islandora-Security-Interest-Group/wiki/Disclosure-Policy
- Private message in tag channel or those reviewing the fix
-
The only time google groups is brought in is when the fix is published
-
Luke: Security announcement needs to be where CoC or procedures are
- Put a posting up on slack saying here's where it is
-
Luke, Don volunteers to be a part of this security response
- Someone from Born-digital might be interested as well - Gavin?
-
Luke: To the TAG group?
- Don: not all people in security response were available to be in tag
-
#security-response channel is open/public
-
Amy: Helpful to add a google form for security reports?
- make sure submissions aren't viewable publicly
-
Luke: What types of CI/CD testing we're running on Islandora proper? There are Drupal testing tools that likely could have caught the previous
- Drupal sniffs
-
Willow: Is this php pcs? It's a great utility to make your tool or make your code have dependency injections, standardized drupal requirements?
- You could activate specific standards, ex. Drupal would be one of them
-
Luke: What CI/CD is already in place?
-
Luke: Github action that kicks off or spins a ocntainer that runs codesniffer?
-
Don: Ultimately does pull you over to actions - security or actions takes you to actions - then under the Actions list is Security
Where should security contact email be listed?
- Willow: On Drupal site, module installs, info file for the dependencies
- Link to our security page/directions once moved
- Luke: Link in footer of islandora.ca
- Don: The process for submitting a ticket - to prevent people accidentally reporting security breach - add a new template to report security vulnerability - do not report! Go [here] instead ...
- Luke: https://www.islandora.ca/contact-us#comms-channels
π islandora-community wiki home Β· π community calendar Β· islandora website
Quick Link to a Wiki Search in Github
π Home
βοΈ Onboarding Checklist
πΊοΈ Roadmap
Committees/Groups
π Coordinating Committee (ICC)
π Technical Advisory Group (TAG)
π Code of Conduct Committee
Meetings
π Monthly TAG Meetings
π Biweekly Islandora Coordinating Committee Meetings for ICC members
Camps and Conferences
π£ Upcoming:
- No upcoming events
π£ Past Camps and Conferences
π see the Islandora Community Calendar for events and meetings.