Good morning Evergreen developers!
Thanks to everyone for getting the recent security release out,
particularly to Jason Stephenson for creating the fixes for the security
issues and to Dan Wells, Ben Shum, and Bill Erickson for coordinating
the release cutting.
A couple of questions arose as I was reviewing the LP bugs that describe
the problems that were being fixed by the security releases. LP1206589
was submitted on July 30, 2013 and is related to information that any
site using credit card processing would want to keep private. We have
one site that has been using credit card processing since before the bug
was filed. I'm sure there are other sites in the community that were
also using it or that may have decided to implement credit card
processing after the bug was filed.
All of these sites would have wanted to know that there was a security
issue with these credit card settings, as well as the additional
security issues identified in LP1424755. However, once LP1206589 was set
to a private security bug in September 2013, these sites had no way of
finding out that there was a security issue that a small group of
community members were aware of.
Knowledge of that security issue may have influenced their decision to
implement/continue using credit card processing. If credit card
processing was a critical service in their environments, they may also
have made the decision to fund a fix for the bug sooner.
Here are my questions regarding security bugs:
Who is allowed access to security bugs and are there ways others in the
community can find out about these bugs? I understand why we don't want
this information available to the general public, but, IMO, the closed
nature of security bugs only works in an environment where we know we
can get a quick turnaround on fixes for critical security issues.
What is the typical turnaround time for security bugs that are
ultimately determined to be of critical or high importance? Was the
turnaround time on this security issue unique or are there other
security bugs that have been in LP for several months that would cause
me to lose sleep if I knew they existed?
I'm also curious about the general process that follows the submission
of a security bug. Is there somebody that goes through them to identify
which ones require some immediacy and then makes sure they get addressed
in a timely manner?
I really think we need to increase the transparency of these bugs
without compromising the security of our systems in the process. Any
site running Evergreen in a production environment should have a right
to know when a known security bugs affects their system, especially when
it comes to those bugs that have been left unresolved for many months.
Maybe we could allow one trusted person from each site subscribe to
security bugs or maybe there are other methods for sharing this
information for Evergreen sites. I would like to hear thoughts from
others on how we can improve transparency.
Thanks!
Kathy
--
Kathy Lussier
Project Coordinator
Massachusetts Library Network Cooperative
(508) 343-0128
[email protected]
Twitter: http://www.twitter.com/kmlussier
