Child pages
  • Grouper Call 14-Aug-2013
Skip to end of metadata
Go to start of metadata

Minutes: Grouper call 14-Aug-2013

Attending

Tom Barton, U. Chicago (Chair)
Jim Fox, U. Washington
Bill Thompson, Unicon
Chris Hyzer, U. Penn
Shilen Patel, Duke
Dave Langenberg, U. Chicago
Emily Eisbruch, Internet2, scribe


New Action Items

[AI] (Chris) set up a wiki page showing security patch history (Done) https://spaces.internet2.edu/display/Grouper/Grouper+patches

[AI] (Emily) add the new Grouper-Announce list info to the "Gruoper Mailing Lists" page the Grouper website (Done) http://www.internet2.edu/grouper/lists.html

[AI] (Emily) add the Grouper-Announce list info to the Software Download page and remove the security info at bottom of that page (Done)http://www.internet2.edu/grouper/software.html

[AI] (Emily) mention to Dean a possible IAM Online based on the security working group activity Bill mentioned within the CAS community. (Done)

[AI] (Dave) draft a message about Grouper Security patches generally going back 3 releases, and share this draft with the Grouper-core list

[AI] (Chris) look at the Opt-in / Opt-out problem https://bugs.internet2.edu/jira/browse/GRP-930

Carry Over Action Items

[AI] (Chris) inform the list about the new security form and the Grouper-Announce list (when form has been tested and linked to the wiki and/or web)

[AI] (Chris) prepare Grouper 2.1.5 release

{AI] (Dave) touch base with TomZ around PSP support issues

[AI] (Dave) contact SURFnet for architecture diagrams etc. (additional follow up may be required)

[AI] (Andrew) let us know what emerges from the Apereo security notification process work.

[AI] (Shilen) email the Grouper-users lists to ask who is using the legacy attributes and ask how they are using them

DISCUSSION

Grouper-Announce List

SteveO has set up the Grouper-Announce@internet2.edu list for announcing security fixes.

Emily will add the Grouper-Announce list to the software downloads page: (done)http://www.internet2.edu/grouper/software.html

Security Report Form

Chris has set up a wiki page listing Grouper security patches.https://spaces.internet2.edu/display/Grouper/Grouper+patches

SteveO has created a new form for reporting security issues athttps://spaces.internet2.edu/display/Grouper/Grouper+Security+Issue+Report+Form

This security issue report form needs to be tested and also linked to from the appropriate pages.  
Once this is done, Chris will send out a note to the Grouper-users list about the new Grouper-Announce list and the new security issue form.

Grouper Web Service Security Patch and Opt in /Opt Out

Shilen fixed the Web Services issue around deleting an attribute.
Chris noted that there was a related Opt-in Opt-out issue.

[AI] (Chris) look at the Opt-in / Opt-out problemhttps://bugs.internet2.edu/jira/browse/GRP-930

How many Versions Back to Patch?

How far back should we go back with security patches? Web services started at 1.4 or 1.5, so the practice to date has been to go back and patch old versions.
Several sites are still funning 1.5 and 1.6.

Jim suggested that an official "end of life" should be established for a version. The Shibboleth project does this.

Bill suggested that in an open source project, since there is no license fee being paid, there is no guarantee of support. It is still good to have a reasonable strategy. Rule of thumb is to be sure to patch the version that the majority of the community  is using.  Users using an old version may want to do their own patch and make it available.
Decision:  Announce that we go back 3 major versions (roughly 3 years) with security patches.  This sets expectations and encourages sites to upgrade.

Right now that would mean v2.1, v2.0, and v1.6.  
Then after the release of Grouper 2.2, the supported versions would be v2.2, v2.1 and v2.0

This info should be mentioned:
-on the Grouper Software Download page.
-on the Security Reporting Page

Bill: important to make it clear that as an open source project, there is no contractual obligation for support. This is community support.
One of the often-mentioned benefits of open-source software is to get off cycle of forced upgrades that proprietary vendors can sometimes impose.
There are subtle differences that we should keep in mind in the language we use around this topic.

Language like "For your planning purposes, we wanted to let you know that we are trying our best to maintain the last 3 major revs"
DaveL will work on a draft and share it with the Grouper Core list.
[AI] (Dave) draft a message about Grouper Security patches generally going back 3 releases, and share this draft with the Grouper-core list

Bill noted that the CAS community has started a group to look at Security issues.
Bill will send a note to the Grouper-useres list about this.https://lists.internet2.edu/sympa/arc/grouper-users/2013-08/msg00018.html

There will be a presentation on this at AppSecUSA 2013 in November.http://appsecusa.org/2013/schedule/

[AI] (Emily) mention to Dean a possible IAM Online based on the security working group activity Bill mentioned within the CAS community. (Done)

Update on Pen Testing at U. Penn.

Chris reported that Pen Testing is going well at U. Penn

Grouper 2.2 Development

-Shilen will return to working on the legacy attribute migration once the web services patch work is done.
-Chris will return to work on the Grouper 2.2 UI soon.
-It was agreed that it makes sense to focus on the new membership API method (Java chaining of criteria for a query) in Grouper 2.2 and remove the privilege resolver approach.

Target:  *** Release Grouper 2.2 around January 2014 *****

Upcoming Meetings
NSF campus IdM for research, Chicago Aug 28-29
TERENA TF-EMC2 & TF-MNM, Malaga, Spain, Oct 15-17
Identity Week, San Francisco, Nov 11-15  http://www.incommon.org/idweek/
 
Next Grouper call: 28-August-2013 at noon ET

  • No labels