Re: [CODE4LIB] Google can give you answers, but librarians give you the right answers
On Apr 1, 2016, at 0:31, Cornel Darden Jr. <corneldarde...@gmail.com> wrote: > "Google can give you answers, but librarians give you the right answers." > > Library: "because not everything on the internet is true" > > Some people applauded the statement and were like: "yay librarians!" > > Others thought it was a very ignorant statement. And many patrons caused a > huge backlash. It was interesting as the library responded to the irritated > patrons. While I understand the motivation behind these statements, it also presents as “You’re doing it wrong!”, which is likely part of the reason for the backlash. Some of the more effective materials that I’ve seen created to communicate this concept effectively show sample search engine results with millions of hits of varying quality juxtaposed against commercial databases with dozens of high quality hits, letting the user draw their own conclusion that they would rather look through a few dozen relevant items than all the chaff from the search engine results. Don’t tell them they’re doing it wrong, let them see that there’s a better way and let them chose the better option willingly. -- Andrew Anderson, President & CEO, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
Re: [CODE4LIB] Internet of Things
For those who were not previously aware of IoT, here’s a primer focused specifically on the library space: https://www.oclc.org/publications/nextspace/articles/issue24/librariesandtheinternetofthings.en.html IMHO this is still a very young concept, and not even fully imagined yet, so there is no reason to feel like you’ve missed the boat, when the ship hasn’t even reached the dock yet. -- Andrew Anderson, President & CEO, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Mar 30, 2016, at 22:16, Lesli M <les...@gmail.com> wrote: > I feel compelled to pipe up about the comment "Very sad that a librarian > didn't know what it was." > > Librarians come in all flavors and varieties. Until I worked in a medical > library, I had no idea what a systematic review was. I had no idea there was > a variety of librarian called "clinical librarian." > > Do you know the hot new interest for law libraries? Medical libraries? > Science libraries? > > The IoT is a specific area of interest. Just like every other special > interest out there. > > Is it really justified to expect all librarians of all flavors and varieties > to know this very tech-ish thing called IoT? > > Lesli
Re: [CODE4LIB] [patronprivacy] Let's Encrypt and EZProxy
On Jan 15, 2016, at 13:20, Salazar, Christina <christina.sala...@csuci.edu> wrote: > Something that I also see implied here is why aren’t vendors doing a better > job collaborating with the developers of EZProxy, instead of only putting the > pressure on Let’s Encrypt to support wildcard certs (although I kind of think > that’s the better way to go). Because it’s easier than actually taking the time to fully understand the platforms and how all the pieces fit together. I’ve lost track of how many discussions I have had with various vendors recently over: * Why they need to encode URLs before trying to pass them to another service like EZproxy's login handler * Why they really do need to pay attention to what RFC 2616 Section 3.2.2 and RFC 2396 Section 2.2 have to say regarding the use of the reserved character in URLs * Why it’s a bad idea to add “DJ google.com” in the EZproxy stanza * Why it’s a bad idea to add “DJ ” in the EZproxy stanza * Why it’s a bad idea to add “DJ ” in the EZproxy stanza Instead of trying to understand how proxied access works, someone just keeps slapping “DJ ” or “HJ ” into the service stanza until the service starts working, and then never revisits the final product to see if those additions were really necessary. Do this for a few platform iterations, and the resulting stanza can become insane. The conversations typically go something like this: Me: “Why are you trying to proxy google.com services?” Vendor: “Because we’re loading the jQuery JavaScript library from their CDN." Me: “And how are you handling registering all your customer’s IP addresses with Google?” … … Vendor: “We don’t”. Me: “Then why do you think you need that in your proxy stanza?”. … … Vendor: “We . . . don’t?” Me: “Exactly. And how are you reaping the performance benefits of a CDN service if you’re funneling all of the unauthenticated web traffic through a proxy server instead of allowing the CDN to do what it does best and keeping the proxy server out of the middle of that transaction?" Vendor: “We . . . aren’t?” Me: “That’s right, by adding ‘DJ ’ to your stanza, you have successfully negated the performance benefits of using a CDN service.” -- Andrew Anderson, President & CEO, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
Re: [CODE4LIB] Let's Encrypt and EZProxy
Eric, Check out Startcom’s StartSSL service (https://www.startssl.com), for $120 you have the ability to generate 3-year wildcard certificates with their Organizational Validation level of service. Andrew -- Andrew Anderson, President & CEO, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jan 14, 2016, at 21:33, Eric Hellman <e...@hellman.net> wrote: > I would also go with the $120 3 year wildcard cert for ezproxy. What vendor > are you using? >> On Jan 14, 2016, at 7:23 PM, Cary Gordon <listu...@chillco.com> wrote: >> >> I love the idea of Let’s Encrypt, but I recently bought a three year >> wildcard cert subscription for about $120. I would need to fall firmly into >> the true believer category to go the route you suggest. >> >> Cary >> >>> On Jan 14, 2016, at 11:20 AM, Eric Hellman <e...@hellman.net> wrote: >>> >>> A while back, the issue of needing a wildcard certificate (not supported by >>> Lets Encrypt) for EZProxy was discussed. >>> >>> In my discussions with publishers about switching to HTTPS, EZProxy >>> compatibility has been the most frequently mentioned stumbling block >>> preventing a complete switch to HTTPS for some HTTPS-ready publishers. In >>> two cases that I know of, a publisher which has been HTTPS-only was asked >>> by a library customer to provide insecure service (oh the horror!) for this >>> reason. >>> >>> It's been pointed out to me that while Lets Encrypt is not supporting >>> wildcard certificates, up to 100 hostnames can be supported on a single LE >>> certificate. A further limit on certificates issued per week per domain >>> would mean that up to 500 hostnames can be registered with LE in a week. >>> >>> Are there EZProxy instances out there that need more than 500 hostnames, >>> assuming that all services are switched to HTTPS? >>> >>> Also, I blogged my experience talking to people about privacy at #ALAMW16. >>> http://go-to-hellman.blogspot.com/2016/01/not-using-https-on-your-website-is-like.html >>> >>> <http://go-to-hellman.blogspot.com/2016/01/not-using-https-on-your-website-is-like.html> >>> >>> Eric >>> >>> >>> Eric Hellman >>> President, Free Ebook Foundation >>> Founder, Unglue.it https://unglue.it/ >>> https://go-to-hellman.blogspot.com/ >>> twitter: @gluejar >>> >
Re: [CODE4LIB] FOSS recommendations for online-only library
I would recommend Apache’s mod_proxy over Squid for a library setting, as it can be morphed into a general rewriting proxy easier than Squid can for off-site access. It’s true that both can be made to perform the rewriting function, but the bar for entry is lower for Apache and it supports a broader set of authentication options than Squid does. -- Andrew Anderson, President CEO, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Aug 23, 2015, at 0:45, Cornel Darden Jr. corneldarde...@gmail.com wrote: Hello, There are open-source proxies available. I would give squid a try. http://wiki.squid-cache.org/Features/Authentication At such a library, public domain materials are awesome! I would look into calibre as an ebook server and mamager. http://calibre-ebook.com Of course, project Gutenberg and the internet archive will supply calibre with thousands of free books. Also, look into drm free publishers. With squid active, many non-drm options can be realized for eBooks too. Do not allow access to databases without authentication. Sent from my iPhone On Aug 22, 2015, at 11:06 PM, Nicole Askin nask...@alumni.ubc.ca wrote: 1. We don't currently have such technology, though we are definitely looking at it beyond this project as well 2. Either. From my understanding there aren't many/any comprehensive free discovery products. We're currently making do with a Google custom search engine, which is a very suboptimal solution 3. Yes. I'm working on learning what I can, and we're working on tech support options. Thanks, Nicole On Fri, Aug 21, 2015 at 2:11 PM, Kevin Hawkins kevin.s.hawk...@ultraslavonic.info wrote: We should probably clarify you're needs a bit. Will you need technology that manages authentication of authorized users, or does your non-profit already have some tool (like a user login or proxy server) that can decide which users should be able to get access to your resources? You mention discovery options ... are you thinking of a discovery product or old-fashioned federated search that provides a single user search interface that searches across many or all of your licensed products? And a link resolver? As a general rule of thumb, you can either have limited tech support or use open-source software but not both. :( Kevin On 8/20/15 5:04 PM, Nicole Askin wrote: Hello all, I'm working with a non-profit that is offering access to research databases for patrons that do not otherwise have it. We are hoping to develop a library portal to support users, ideally including both article- and journal-level search. We'd like to do this as much as possible using *only* free and open source software, so I'm looking for recommendations on what to use and, crucially, what works well together. Some parameters: -We have no physical location or physical holdings - don't need circulation or anything in that category, although access stats would be nice -We do not have our own hosted materials - no need for a CMS -We have very limited tech support Any thoughts? I've been playing around with VuFind and reSearcher so far but am definitely open to other possibilities, particularly if there are good discovery options available. Thanks, Nicole
Re: [CODE4LIB] Protocol-relative URLs in MARC
There are multiple questions embedded in this: 1) What does the MARC standard have to say about 856$u? $u - Uniform Resource Identifier Uniform Resource Identifier (URI), which provides standard syntax for locating an object using existing Internet protocols. Field 856 is structured to allow for the creation of a URL from the concatenation of other separate 856 subfields. Subfield $u may be used instead of those separate subfields or in addition to them. Subfield $u may be repeated only if both a URN or a URL or more than one URN are recorded. Used for automated access to an electronic item using one of the Internet protocols or by resolution of a URN. Subfield $u may be repeated only if both a URN and a URL or more than one URN are recorded. Field 856 is repeated if more than one URL needs to be recorded. Here, it is established that $u uses a URI, which leads to…. 2) What do the RFCs say about protocol-relative URIs? http://tools.ietf.org/html/rfc3986#section-4.1 URI-reference is used to denote the most common usage of a resource identifier. URI-reference = URI / relative-ref A URI-reference is either a URI or a relative reference. If the URI-reference's prefix does not match the syntax of a scheme followed by its colon separator, then the URI-reference is a relative reference. So by the stated use of URIs in the MARC standard, and the RFC definition of the URI relative reference, there should be no standards basis by which protocol relative URLs should not be valid for use in 856. Expanding out to the software support, most tools that I have used with general URL manipulation in general have no problems with this format, but I have only used PyMARC for manipulating MARC records, not any of the other MARC editors. If they try to be too clever about data validation and not quite clever enough about standards and patterns, there could be issues at this level. As for browser support, IE7 IE8 have issues with double-loading some resources when used in this manner, but those browsers are becoming nearly extinct, so I would not anticipate client-side issues as long as the intermediate system that consumed the 856 record and render it for display can handle this. Our web properties switched to using this pattern several years ago to avoid the “insecure content” warnings and we have had no issues on the client side. Then the other consumers of MARC data come into play — title lists, link resolvers, proxy servers, etc. A lot of what I’ve seen in this space are lipstick wearing dinosaurs of a code base, so unless the vendor is particularly good about keeping up with current web patterns, this is where I would expect the most challenges. There may be implicit or explicit assumptions built into systems that would break with protocol-relative URLs, e.g. if the value is passed directly to a proxy server, it may not know what to do without a scheme prefixed to the URI, and attempt to serve local content instead. That said, there is a big push recently for dropping non-SSL connections in general (going so far as to call the protocol relative URIs an anti-pattern), so is it really worth all the potential pain and suffering to make your links scheme-agnostic, when maybe it would be a better investment in time to switch them all to SSL instead? This dovetails nicely with some of the discussions I have had recently with electronic services librarians about how to protect patron privacy in an online world by using SSL as an arrow in that quiver. Andrew -- Andrew Anderson, President CEO, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Aug 17, 2015, at 16:41, Stuart A. Yeates syea...@gmail.com wrote: I'm in the middle of some work which includes touching the 856s in lots of MARC records pointing to websites we control. The websites are available on both https://example.org/ and http://example.org/ Can I put //example.org/ in the MARC or is this contrary to the standard? Note that there is a separate question about whether various software systems support this, but that's entirely secondary to the question of the standard. cheers stuart -- ...let us be heard from red core to black sky
Re: [CODE4LIB] quick question: CloudFlare
We have had good experience with it so far, yes. Do you have a specific use case that you’re concerned about? -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jun 19, 2015, at 12:58, Kun Lin l...@whitman.edu wrote: Quick question: Who is using CloudFlare for their library website? Are they very accommodating in using CNAME? Thanks Kun Lin
Re: [CODE4LIB] quick question: CloudFlare
That’s a bit sub-optimal regarding how they handle domain setup, I agree. You can get partial functionality by adding a NS record in your existing DNS servers for pointing specific records to their DNS servers even without going through the full domain delegation process. After some testing, we were sufficiently happy with their service to move forward with the full delegation, but this technique worked well for kicking the tires without making the full commitment to their DNS service. The down side to using the NS trick is that their SSL handling will not be fully active unless you do the whole domain. Depending on what you hope to accomplish, that may be the make-or-break decision for using their service or not. You can still do SSL on the host under some circumstances, but I believe all entries in the top level domain must use their certificates when acceleration is active. Subdomains can still use the SSL certificate on the host even without full delegation. Another reason to consider letting them handle your DNS (if you can) is that they have some pretty interesting plans for adding DNSSEC support for later this year. At any rate, what I would suggest you consider is something like this: testIN NS ns1.ns.cloudflare.com IN NS ns2.ns.cloudflare.com and replace ns1 and ns2 with the name servers assigned to your account. Of course, you need a “test” record created on the CloudFlare end to serve the appropriate DNS entries. This configuration will send all DNS queries for the test host to CloudFlare’s servers and through their acceleration infrastructure. Hope this helps, Andrew -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jun 19, 2015, at 18:29, Kun Lin l...@whitman.edu wrote: In most case, Cloudflare will want you to delete the whole domain to their DNS server. This is impossible for us to do. Therefore, I am trying to figure out CNAME option. Thanks Kun -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Andrew Anderson Sent: Friday, June 19, 2015 3:24 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] quick question: CloudFlare We have had good experience with it so far, yes. Do you have a specific use case that you're concerned about? -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jun 19, 2015, at 12:58, Kun Lin l...@whitman.edu wrote: Quick question: Who is using CloudFlare for their library website? Are they very accommodating in using CNAME? Thanks Kun Lin
Re: [CODE4LIB] Let's implement the referrer meta tag
Or just SSL enable your library web site. Few vendors support SSL today, so crossing the HTTP/HTTPS barrier is supposed to automatically disable referring URL passing. http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 15.1.3 Encoding Sensitive Information in URI's Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information. Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jun 12, 2015, at 0:24, Conal Tuohy conal.tu...@gmail.com wrote: Assuming your library web server has a front-end proxy (I guess this is pretty common) or at least runs inside Apache httpd or something, then rather than use the HTML meta tag, it might be easier to set the referer policy via the Content-Security-Policy HTTP header field. https://w3c.github.io/webappsec/specs/content-security-policy/#content-security-policy-header-field e.g. in Apache httpd with mod_headers: Header set Content-Security-Policy referrer 'no-referrer' On 12 June 2015 at 13:55, Frumkin, Jeremy A - (frumkinj) frumk...@email.arizona.edu wrote: Eric - Many thanks for raising awareness of this. It does feel like encouraging good practice re: referrer meta tag would be a good thing, but I would not know where to start to make something like this required practice. Did you have some thoughts on that? — jaf --- Jeremy Frumkin Associate Dean / Chief Technology Strategist University of Arizona Libraries +1 520.626.7296 j...@arizona.edu —— A person who never made a mistake never tried anything new. - Albert Einstein On 6/11/15, 8:25 AM, Eric Hellman e...@hellman.net wrote: http://go-to-hellman.blogspot.com/2015/06/protect-reader-privacy-with-referrer.html http://go-to-hellman.blogspot.com/2015/06/protect-reader-privacy-with-referrer.html I hope this is easy to deploy on library websites, because the privacy enhancement is significant. I'd be very interested to know of sites that are using it; I know Thomas Dowling implemented a referrer policy on http://oatd.org/ http://oatd.org/ Would it be a good idea to make it a required practice for libraries? Eric Hellman President, Gluejar.Inc. Founder, Unglue.it https://unglue.it/ http://go-to-hellman.blogspot.com/ twitter: @gluejar
Re: [CODE4LIB] making EZproxy http/https transparent
https://pluto.potsdam.edu/ezproxywiki/index.php/SSL#Wildcard_certificate (You can safely ignore the SSL warning, pluto uses self-signed certificates) -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Mar 3, 2015, at 11:46, Karl Holten khol...@switchinc.org wrote: If you're using proxy by hostname, it's my understanding that you need to purchase a SSL certificate for each secure domain, otherwise you get security errors. Depending on how many domains you have, the cost of this can add up. Maintaining it is a headache too because it seems like vendors often don't bother to notify you they're making a switch. If there's some way to avoid doing this, I would love to know! Karl Holten Systems Integration Specialist SWITCH Inc 414-382-6711 -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Stuart A. Yeates Sent: Monday, March 2, 2015 5:27 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: [CODE4LIB] making EZproxy http/https transparent In the last couple of months we've had to update a number of EZproxy stanzas as either tools migrate to HTTPS-only or people try to access HTTP/HTTPS parallel resources using browsers that automatically detect HTTP/HTTPS parallel resources and switch users to the HTTPS version (think current Chrome, anything with the HTTPSeverywhere plugin). We'd like to avoid updating our config.txt piecemeal on the basis of user-gernated error-reports We're thinking of going through our EZproxy config.txt and adding an H https:// for every H or URL entry. (Domain and DomainJavascript already work for both HTTP and HTTPS). Has anyone tried anything like this? Are there pitfalls? cheers stuart -- ...let us be heard from red core to black sky
Re: [CODE4LIB] [RESOLVED] Re: HTTPS EZproxy question / RFC 6125
There are 3 basic approaches to rewriting proxy servers that I have seen in the wild, each with their own strengths and weaknesses: 1) Proxy by port This is the original EZproxy model, where each proxied resource gets its own port number. This runs afoul of firewall rules to non port 80/443 resources, and it creates a problem for SSL access, as clients try both HTTP and HTTPS to the same port number, and EZproxy is not setup to differentiate both protocols accessing the same port. With more and more resources moving to HTTPS, the end of this solution as a viable option is in sight. 2) Proxy by hostname This is the current preferred EZproxy model, as it addresses the HTTP(S) port issue, but as you have identified, it instead creates a hostname mangling issue, and now I’m curious myself about how EZproxy will handle a hyphenated SSL site as well with HttpsHyphens enabled. I /think/ it does the right thing by mapping the hostname back to the original internally, as a “-“ in hostnames for release versioning is how the Google App Engine platform works, but I have not explicitly investigated that. 3) Proxy by path A different proxy product that we use, Muse Proxy from Edulib, leverages proxy by path, where the original website URL is deconstructed and passed to the proxy server as query arguments. This approach has worked fairly well as it cleanly avoids the hostname mangling issues, though some of the new “single page web apps” that use JavaScript routing patterns can be interesting, so the vendor has added proxy by hostname support as an option for those sites as a fallback. So there is no perfect solution, but some work better than others. I’m looking forward to expanding our use of the proxy by path approach, as that is a very clean approach to this problem, and it seems to have fewer caveats than the other two approaches. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Dec 18, 2014, at 17:04, Stuart A. Yeates syea...@gmail.com wrote: It appears that the core of my problem was that I was unaware of Option HttpsHyphens / NoHttpsHyphens which toggle between proxying on https://www.somedb.com.ezproxy.yourlib.org and https://www-somedb-com.ezproxy.yourlib.org and allows infinitely nested domains to be proxied using a simple wildcard cert by compressing things. The paranoid in me is screaming that there's an interesting brokenness in here when a separate hosted resource is at https://www-somedb.com/, but I'm trying to overlook that. cheers stuart -- ...let us be heard from red core to black sky On Mon, Dec 15, 2014 at 9:24 AM, Stuart A. Yeates syea...@gmail.com wrote: Some resources are only available only via HTTPS. Previously we used a wildcard certificate, I can't swear that it was ever tested as working, but we weren't getting any complaints. Recently browser security has been tightened and RFC 6125 has appeared and been implemented and proxing of https resources with a naive wildcard cert no longer works (we're getting complaints and are able to duplicate the issues). At https://security.stackexchange.com/questions/10538/what-certificates-are-needed-for-multi-level-subdomains there is an interesting solution with multiple wildcards in the same cert: foo.com *.foo.com *.*.foo.com ... There is also the possibility that we can just grep the logs for every machine name ever accessed and generate a huge list. Has anyone tried these options? Successes? Failures? Thoughts? cheers stuart -- ...let us be heard from red core to black sky
Re: [CODE4LIB] Functional Archival Resource Keys
I’m not commenting on whether inflections are good, bad, or ugly, but simply looking at this from the perspective of real-world hurdles, unexpected interactions, and implementation challenges that are going to be run into by the selection of an existing reserved character as an inflection indicator. It looks like we disagree on the concept that “no one is using it” as it has a clearly defined role in the URI specification, and it is not uncommon to use “?”’s as a cache-busting mechanism when clearly no one intends to fetch an object’s metadata when they do so. Taking a step back, this seems like a false economy vs a more expressive and human-friendly mechanism for defining access to metadata and policy for the object in question. There are a number of different approaches that could be taken to achieve the stated goals of ARK without overloading the purpose of an existing defined reserved character, and I think that the project would be doing itself a favor by exploring the alternatives to find an approach that does not have the potential to slow adoption due to technical and political reasons. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Dec 10, 2014, at 14:28, John Kunze j...@ucop.edu wrote: I don't know the precise constraints you're working under, but Henry Thompson of the W3C TAG (Technical Architecture Group) has advocated for consideration of the ARK approach to the TAG's meetings. The terminal '?' is sort of a no-brainer, but clearly it stretches the URI spec; on the plus side, it's ripe for definition since no one else is using it. It was Jonathan Rees (also of the W3C TAG) who pointed out the need for an additional response header, just in case some service actually was responding query strings that overlapped with inflections. Just to be clear, the ARKs don't own the inflections concept (in fact the ARK scheme is unusual in not owning things, such as a resolver). If you think inflections are a good/bad idea for ARKs, chances are you'll think the same for other kinds of identifiers. As Clifford Lynch once said, the '?' inflection should work for all URLs. On Tue, Dec 9, 2014 at 10:09 PM, Andrew Anderson and...@lirn.net wrote: RFC and expectation violations make my brain hurt. Overloading an operator that has a clearly defined role in HTTP URIs ( https://tools.ietf.org/html/rfc7230#section-2.7.1) creates the potential for /so/ many unexpected interactions between browsers ( https://code.google.com/p/chromium/issues/detail?id=108690), HTTP caches, URL rewriting servers, etc. that implementations, adopters, and users are going to be playing a long game of whack-a-mole working around them. The proposal is already carving out a URI namespace in the form of “ark:”: http://ark.cdlib.org/ark:/13030/tf5p30086k? So why not take advantage of the fact that any system processing the “ark:” namespace is already going to have to be a custom application and adopt a RESTful path to communicate the service requested instead? http://ark.cdlib.org/ark:metadata/13030/tf5p30086k http://ark.cdlib.org/ark:policy/13030/tf5p30086k If a web services style implementation is undesired, what about creating another reserved character or overload a character that is already used in URIs but not part of the HTTP URI specification, “!? Or, if a standard approach for HTTP header implementation were proposed and adopted, it is not unreasonable to imagine that browsers might adopt methods that would allow the average user access to the inflections without jumping through hoops once adoption reaches critical mass. There are many approaches and techniques that could be employed here that would not require overloading “?” in HTTP URIs that there really is no excuse for trying to do so. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Dec 9, 2014, at 9:25, Ethan Gruber ewg4x...@gmail.com wrote: I'm using a few applications in Tomcat, so inflections are much more difficult to implement than content negotiation. I can probably tweak the Apache settings to do a proxypass for inflections by modifying the examples above. I agree with Conal, though. Inflections are puzzling at best and bad architecture at worst, and the sooner the community puts forward a more standard solution, the better. On Mon, Dec 8, 2014 at 7:21 PM, John Kunze j...@ucop.edu wrote: Just as a URL permits an ordinary user with a web browser to get to an object, inflections permit an ordinary user to see metadata (without curl or code). There's nothing to prevent a server from supporting both the HTTP Accept header (content negotiation) and inflections. If you can do
Re: [CODE4LIB] Stack Overflow
On Nov 4, 2014, at 9:42, Joshua Welker wel...@ucmo.edu wrote: 3. Libraries have a culture of protecting vendors from criticism. Sure, we do lots of criticism behind closed doors, but nowhere that leaves an online footprint. Oops. Someone should have told me that rule before I openly and repeatedly criticized EBSCO for having a broken DNS configuration that is celebrating the 2-year anniversary of my in-depth bug report to them, along with a specific resolution path that their IT department has demonstrated an amazing resolve to ignore despite repeated pings to their customer service representatives to keep the issue active over the past 2 years. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
Re: [CODE4LIB] Why learn Unix?
There is something of a natural symbiosis between *NIX and libraries. If you have not already found it, read Unix as Literature for some background on why those who like the written word are drawn to *NIX naturally. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Oct 27, 2014, at 10:02, Siobhain Rivera siori...@indiana.edu wrote: Hi everyone, I'm part of the ASIST Student Chapter and Indiana University, and we're putting together a series of workshops on Unix. We've noticed that a lot of people don't seem to have a good idea of why they should learn Unix, particularly the reference/non technology types. We're going to do some more research to make a fact sheet about the uses of Unix, but I thought I'd pose the question to the list - what do you think are reasons librarians need to know Unix, even if they aren't in particularly tech heavy jobs? I'd appreciate any input. Have a great week! Siobhain Rivera Indiana University Bloomington Library Science, Digital Libraries Specialization ASIST-SC, Webmaster
Re: [CODE4LIB] Requesting a Little IE Assistance
I’ve never attempted this, but instead of linking to the text files directly, can you include the text files in an iframe and leverage that to apply sizing/styling information to the iframe content? Something like: html body iframe src=“/path/to/file.txt”/iframe /body /html That structure, combined with some javascript tricks might get you where you need to be: http://stackoverflow.com/questions/4612374/iframe-inherit-from-parent Of course, if you’re already going that far, you’re not too far removed from just pulling the text file into a nicely formatted container via AJAX, and styling that container as needed, without the iframe hackery. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Oct 13, 2014, at 9:59, Matthew Sherman matt.r.sher...@gmail.com wrote: For anyone who knows Internet Explore, is there a way to tell it to use word wrap when it displays txt files? This is an odd question but one of my supervisors exclusively uses IE and is going to try to force me to reupload hundreds of archived permissions e-mails as text files to a repository in a different, less preservable, file format if I cannot tell them how to turn on word wrap. Yes it is as crazy as it sounds. Any assistance is welcome. Matt Sherman
Re: [CODE4LIB] Forwarding blog post: Apple, Android and NFC – how should libraries prepare? (RFID stuffs)
On Oct 8, 2014, at 4:54, Ross Singer rossfsin...@gmail.com wrote: We’re generally in need of a spec, not a standard, I’ve found (although they’re definitely not mutually exclusive!). The wonderful thing about standards, is that there are so many to choose from. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
Re: [CODE4LIB] Library app basics
Before launching into a native app, start with the functional requirements to see if what you want to accomplish could be done in a well designed mobile web site, or if you actually need the advanced features that native development would make available. For example, there is a _lot_ that you can do in jQuery Mobile backed by a strong AJAX backend that looks like a native app, yet does not subject you to the stringent requirements of having to do multi-platform development and worry about submitting to multiple vendors for approval. There is already some support for media capture for photos/video/sound in HTML5 on some devices that you can use for interactive experiences like snapping a photo, sending it to the server for processing, and having the server send back something relevant. See http://www.html5rocks.com/en/tutorials/getusermedia/intro/ for some information on what is possible currently, and then imagine what you could do with book covers, bar codes, maybe even tapping into the NFC chips in smartphones to tickle those RFID chips everyone is talking about this week. As a data point, I have seen estimates that put mobile app development costs between $5,000 and $50,000, depending on their complexity, amount of UI/UX design and testing, graphics development, etc, so if you are operating without a budget and are having to scrounge for devices just to test with, a smart mobile web site may be a better starting point anyway. It’s less of an unknown, using familiar tools, doesn’t require testing hardware, and doesn’t have an onerous vendor approval step to deal with. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Oct 7, 2014, at 14:51, Will Martin w...@will-martin.net wrote: My boss has directed me to start looking into producing a phone app for the library, or better yet finding a way to integrate with the existing campus-wide app. Could I pick the list's brains? 1) Is there some tolerably decent cross-platform app language, or am I going to be learning 3 different languages for iOS, Android, and Windows phone? I've dabbled in all kinds of things, but my bread-and-butter work has been PHP on a LAMP stack. Apps aren't written in that, so new language time. 2) The library's selection of mobile devices consists of 2 iPads and a Galaxy tablet. We don't have phones for testing. My personal phone is a 12-year-old flip phone which doesn't run apps. Can I get by with emulators? What are some good ones? The budget for the project is zero, so I don't think dedicated testing devices are in the cards unless I upgrade my own phone, which I probably ought to anyway. 3) What are some best practices for library app design? We were thinking the key functionality would be personal account management (what have I got checked out, renew my stuff, etc), hours, lab availability, search the catalog, and ask a librarian. Anything missing? Too much stuff? Will Martin Web Services Librarian Chester Fritz Library P.S. I sent this a couple days ago and wondered why it hadn't shown up -- only to realize I accidently sent it to j...@code4lib.org rather than the actual list serv address. Whoops, embarrassing!
Re: [CODE4LIB] What is the real impact of SHA-256? - Updated
My concern would be more that given proven weaknesses in MD5, do I want to risk that 1 in a billion chance that the “right” bit error creeps into an archive that manages to not impact the checksum, thus creating the illusion that the archive integrity has not been violated? -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Oct 2, 2014, at 18:34, Jonathan Rochkind rochk...@jhu.edu wrote: For checksums for ensuring archival integrity, are cryptographic flaws relavent? I'm not sure, is part of the point of a checksum to ensure against _malicious_ changes to files? I honestly don't know. (But in most systems, I'd guess anyone who had access to maliciously change the file would also have access to maliciously change the checksum!) Rot13 is not suitable as a checksum for ensuring archival integrity however, because it's output is no smaller than it's input, which is kind of what you're looking for. From: Code for Libraries [CODE4LIB@LISTSERV.ND.EDU] on behalf of Cary Gordon [listu...@chillco.com] Sent: Thursday, October 02, 2014 5:51 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] What is the real impact of SHA-256? - Updated +1 MD5 is little better than ROT13. At least with ROT13, you have no illusions. We use SHA 512 for most work. We don't do finance or national security, so it is a good fit for us. Cary On Oct 2, 2014, at 12:30 PM, Simon Spero sesunc...@gmail.com wrote: Intel skylake processors have dedicated sha instructions. See: https://software.intel.com/en-us/articles/intel-sha-extensions Using a tree hash approach (which is inherently embarrassingly parallel) will leave io time dominant. This approach is used by Amazon glacier - see http://docs.aws.amazon.com/amazonglacier/latest/dev/checksum-calculations.html MD5 is broken, and cannot be used for any security purposes. It cannot be used for deduplication if any of the files are in the directories of security researchers! If security is not a concern then there are many faster hashing algorithms that avoid the costs imposed by the need to defend against adversaries. See siphash, murmur, cityhash, etc. Simon On Oct 2, 2014 11:18 AM, Alex Duryee a...@avpreserve.com wrote: Despite some of its relative flaws, MD5 is frequently selected over SHA-256 in archives as the checksum algorithm of choice. One of the primary factors here is the longer processing time required for SHA-256, though there have been no empirical studies calculating that time difference and its overall impact on checksum generation and verification in a preservation environment. AVPreserve Consultant Alex Duryee recently ran a series of tests comparing the real time and cpu time used by each algorithm. His newly updated white paper What Is the Real Impact of SHA-256? presents the results and comes to some interesting conclusions regarding the actual time difference between the two and what other factors may have a greater impact on your selection decision and file monitoring workflow. The paper can be downloaded for free at http://www.avpreserve.com/papers-and-presentations/whats-the-real-impact-of-sha-256/ . __ Alex Duryee *AVPreserve* 350 7th Ave., Suite 1605 New York, NY 10001 office: 917-475-9630 http://www.avpreserve.com Facebook.com/AVPreserve http://facebook.com/AVPreserve twitter.com/AVPreserve
Re: [CODE4LIB] LibGuides v2 - Templates and Nav
There are ways around this, e.g. http://api.jquerymobile.com/taphold/ -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Sep 17, 2014, at 21:17, Jonathan Rochkind rochk...@jhu.edu wrote: Mouse hover is not available to anyone using a touch device rather than a mouse, as well as being problematic for keyboard access. While there might be ways to make the on-hover UI style keyboard accessible (perhaps in some cases activating on element focus in addition toon hover), there aren't really any good ones I can think for purely touch devices (which don't really trigger focus state either). An increasing amount of web use, of course, is mobile touch devices, and probably will continue to be and to increase for some time, including on library properties. So I think probably on-hover UI should simply be abandoned at this point, even if some people love it, it will be inaccessible to an increasing portion of our users with no good accomodations. Jonathan On 9/17/14 4:25 PM, Jesse Martinez wrote: On the same token, we're making it a policy to not use mouse hover over effects to display database/asset descriptions in LG2 until this can become keyboard accessible. This is a beloved feature from LG1 so I'm hoping SpringShare read my pestering emails about this... Jesse On Wed, Sep 17, 2014 at 3:38 PM, Brad Coffield bcoffield.libr...@gmail.com wrote: Johnathan, That point is well taken. Accessibility, to me, shouldn't be a tacked-on we'll do the best we can sort of thing. It's an essential part of being a library being open to all users. Unfortunately I know our site has a lot of work to be done regarding accessibility. I'll also pay attention to that when/if I make mods to the v2 templates. On Wed, Sep 17, 2014 at 1:49 PM, Jonathan LeBreton lebre...@temple.edu wrote: I might mention here that we (Temple University) found LibGuides 2.0 to offer some noteworthy improvements in section 508 accessibility when compared with version 1.0. Accessibility is a particular point of concern for the whole institution as we look across the city, state, and country at other institutions that have been called out and settled with various disability advocacy groups. So we moved to v. 2.0 during the summer in order to have those improvements in place for the fall semester, as well as to get the value from some other developments in v. 2.0 that benefit all customers. When I see email on list about making modifications to templates and such, it gives me a bit of concern on this score that by doing so, one might easily begin to make the CMS framework for content less accessible. I thought I should voice that.This is not to say that one shouldn't customize and explore enhancements etc., but one should do so with some care if you are operating with similar mandates or concerns.Unless I am mistaken, several of the examples noted are now throwing 508 errors that are not in the out-of-the box LibGuide templates and which are not the result of an individual content contributor/author inserting bad stuff like images without alt tags. Jonathan LeBreton Senior Associate University Librarian Editor: Library Archival Security Temple University Libraries Paley M138, 1210 Polett Walk, Philadelphia PA 19122 voice: 215.204.8231 fax: 215.204.5201 mobile: 215.284.5070 email: lebre...@temple.edu email: jonat...@temple.edu -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Cindi Blyberg Sent: Wednesday, September 17, 2014 12:03 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] LibGuides v2 - Templates and Nav Hey everyone! Not to turn C4L into Support4LibGuides, but... :) The infrastructure for all the APIs is in place; currently, the Guides API and the Subjects API are functioning. Go to Tools API Get Guides to see the general structure of the URL. Replace guides with subjects to retrieve your subjects. You will need your LibGuides site ID, which you can get from the LibApps Dashboard screen. Word is that it will not take long to add other API calls on the back end; if you need these now, please do email supp...@springshare.com and reference this conversation. As for v1, we are planning on supporting it for 2 more years--that said, we would never leave anyone hanging, so if it takes longer than that to get everyone moved over, we're ready for that. Best, -Cindi On Wed, Sep 17, 2014 at 10:46 AM, Nadaleen F Tempelman-Kluit n...@nyu.edu wrote: Hi all- While we're on the topic of LibGuides V2, when will the GET subjects API (and other API details) be in place? We're in a holding pattern until we get those details and we've not been able to get any timeline as to when those assets
Re: [CODE4LIB] Anybody know a way to add a MARC tag on-mass to a file of MARC records
I’ve had a lot of success with pymarc for this. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Aug 28, 2014, at 14:37, Schwartz, Raymond schwart...@wpunj.edu wrote: I need to automate this in a script. As far as I can tell. You cannot do this with MarcEdit. -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Jane Costanza Sent: Thursday, August 28, 2014 2:33 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Anybody know a way to add a MARC tag on-mass to a file of MARC records MarcEdit is a free MARC editing utility. http://marcedit.reeset.net/ Jane Costanza Associate Professor/Head of Discovery Services Trinity University San Antonio, Texas 210-999-7612 jcost...@trinity.edu http://digitalcommons.trinity.edu/ http://lib.trinity.edu/ On Thu, Aug 28, 2014 at 1:26 PM, Schwartz, Raymond schwart...@wpunj.edu wrote: Anybody know a way to add a MARC tag on-mass to a file of MARC records. I need to add the tag 918 $a with the contents DELETE to each of the records. Thanks in advance. /Ray Ray Schwartz Systems Specialist Librarian schwart...@wpunj.edu blocked::mailto:schwart...@wpunj.edu David and Lorraine Cheng Library Tel: +1 973 720-3192 William Paterson University Fax: +1 973 720-2585 300 Pompton RoadMobile: +1 201 424-4491 Wayne, NJ 07470-2103 USA http://nova.wpunj.edu/schwartzr2/ http://euphrates.wpunj.edu/faculty/schwartzr2/
Re: [CODE4LIB] Does 'Freedom to Read' require us to systematically privilege HTTPS over HTTP?
On Jun 17, 2014, at 17:09, Stuart Yeates stuart.yea...@vuw.ac.nz wrote: On 06/17/2014 08:49 AM, Galen Charlton wrote: On Sun, Jun 15, 2014 at 4:03 PM, Stuart Yeates stuart.yea...@vuw.ac.nz wrote: As I read it, 'Freedom to Read' means that we have to take active steps to protect that rights of our readers to read what they want and in private. [snip] * building HTTPS Everywhere-like functionality into LMSs (such functionality may already exist, I'm not sure) Many ILSs can be configured to require SSL to access their public interfaces, and I think it would be worthwhile to encourage that as a default expectation for discovery interfaces. However, I think that's only part of the picture for ILSs. Other parts would include: * staff training on handling patron and circulation data * ensuring that the ILS has the ability to control (and let users control) how much circulation and search history data gets retained * ensuring that the ILS backup policy strikes the correct balance between having enough for disaster recovery while not keeping individually identifiable circ history forever * ensuring that contracts with ILS hosting providers and services that access patron data from the ILS have appropriate language concerning data retention and notification of subpoenas. Compared to other contributors to this thread, I appear to be (a) less worried about state actors than our commercial partners and (b) keener to see relatively straight forward technical fixes that just work 'for free' across large classes of library systems. Things like: * An ILS module that pulls the HTTPS Everywhere ruleset from https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules and applies those rules as a standard data-cleanup step on all imported data (MARC, etc). * A plugin to the CMS that drives the library's websites / blogs / whatever and uses the same rulesets to default all links to HTTPS. * An EzProxy plugin (or howto) on silently redirectly users to HTTPS over HTTP sites. cheers stuart This is something that I have been interested in as well, and I have been asking our content providers when they will make their content available via HTTPS, but so far with very little uptake. Perhaps if enough customers start asking, it will get enough exposure internally to drive adoption of HTTPS for the content side. I looked into what EZproxy offers for the user side, and that product does not currently have the ability to do HTTPS to HTTP proxying, even though there is no technical reason why it could not be done (look at how many HTTPS sites run Apache in a reverse proxy to HTTP servers internally for load balancing, etc.) EZproxy makes the assumption that a HTTP resource will always be accessed over HTTP, and you cannot configure a HTTPS entry point to HTTP services to at least secure the side of the communication channel that is going to contain more identifiable information about the user, before it becomes aggregated into the general proxy stream. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
Re: [CODE4LIB] Does 'Freedom to Read' require us to systematically privilege HTTPS over HTTP?
EZproxy already handles HTTPS connections for HTTPS enabled services today, and on modern hardware (i.e. since circa 2005), cryptographic processing far surpasses the speed of most network connections, so I do not accept the “it’s too heavy” argument against it supporting the HTTPS to HTTP functionality. Even embedded systems with 500MHz CPUs can terminate SSL VPNs at over 100Mb/s these days. All I am saying is that the model where you expose HTTPS to the patron and still continue to use HTTP for the vendor is not possible with EZproxy today, and there is no technical reason why it could not do so, but rather a policy decision. While HTTPS to HTTP translation would not completely solve the entire point of the original posting, it would be a step in the right direction until the rest of the world caught up. As an aside, the lightweight nature of EZproxy seems to be becoming its Achilles Heel these days, as modern web development methods seem to be pushing the boundaries of its capabilities pretty hard. The stance that EZproxy only supports what it understands is going to be a problem when vendors adopt HTTP/2.0, SDCH encoding, web sockets, etc., just as AJAX caused issues previously. Most vendor platforms are Java based, and once Jetty starts supporting these features, the performance chasm between dumbed-down proxy connections and direct connections is going to become even more significant than it is today. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jun 18, 2014, at 11:20, Cary Gordon listu...@chillco.com wrote: One of the reasons that EZProxy is so fast and resource-efficient is that it is very lightweight. HTTPS to HTTP processing would require that EZProzy, or another proxy layer behind it, provide an HTTPS endpoint. Building this into EZProxy, I think, would not be a good fit for their model. I think that it would be simpler to just do everything in nginx, or possibly node. Cary On Wednesday, June 18, 2014, Andrew Anderson and...@lirn.net wrote: On Jun 17, 2014, at 17:09, Stuart Yeates stuart.yea...@vuw.ac.nz javascript:; wrote: On 06/17/2014 08:49 AM, Galen Charlton wrote: On Sun, Jun 15, 2014 at 4:03 PM, Stuart Yeates stuart.yea...@vuw.ac.nz javascript:; wrote: As I read it, 'Freedom to Read' means that we have to take active steps to protect that rights of our readers to read what they want and in private. [snip] * building HTTPS Everywhere-like functionality into LMSs (such functionality may already exist, I'm not sure) Many ILSs can be configured to require SSL to access their public interfaces, and I think it would be worthwhile to encourage that as a default expectation for discovery interfaces. However, I think that's only part of the picture for ILSs. Other parts would include: * staff training on handling patron and circulation data * ensuring that the ILS has the ability to control (and let users control) how much circulation and search history data gets retained * ensuring that the ILS backup policy strikes the correct balance between having enough for disaster recovery while not keeping individually identifiable circ history forever * ensuring that contracts with ILS hosting providers and services that access patron data from the ILS have appropriate language concerning data retention and notification of subpoenas. Compared to other contributors to this thread, I appear to be (a) less worried about state actors than our commercial partners and (b) keener to see relatively straight forward technical fixes that just work 'for free' across large classes of library systems. Things like: * An ILS module that pulls the HTTPS Everywhere ruleset from https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules and applies those rules as a standard data-cleanup step on all imported data (MARC, etc). * A plugin to the CMS that drives the library's websites / blogs / whatever and uses the same rulesets to default all links to HTTPS. * An EzProxy plugin (or howto) on silently redirectly users to HTTPS over HTTP sites. cheers stuart This is something that I have been interested in as well, and I have been asking our content providers when they will make their content available via HTTPS, but so far with very little uptake. Perhaps if enough customers start asking, it will get enough exposure internally to drive adoption of HTTPS for the content side. I looked into what EZproxy offers for the user side, and that product does not currently have the ability to do HTTPS to HTTP proxying, even though there is no technical reason why it could not be done (look at how many HTTPS sites run Apache in a reverse proxy to HTTP servers internally for load balancing, etc.) EZproxy makes the assumption that a HTTP resource
Re: [CODE4LIB] Windows XP EOL
You’d be amazed at what you can do with port 80/443 access, so while that is a deterrent, it is not a solution that will make any guarantees that the machines cannot do anything nefarious. Adding a proxy server in front of the machines with a whitelist of allowed web sites instead of NAT would go further, but at the end of that day you’re still talking about taking a 14 year old operating system that is no longer supported and connecting it to the internet. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Mar 5, 2014, at 7:20, Michael Bond mb...@the-forgotten.org wrote: Why not setup your XP boxes to use a private network (10.x.x.x or 192.168.x.x) and put them behind a heavily fire walled NAT solution. Could be setup on the network level or with a router and a linux box running IP tables. Lots of ways to do it. Install and keep updated Firefox or Chrome, lock down the machines so that users don’t have permissions to install anything, and setup a whitelist of programs that are allowed to be run (takes a little bit of work, but its very doable. We did this in WVU Libraries on all our machines [500 or so], public and staff, until we got our virtualized desktops in place). You can’t disallow Internet Explorer from running, but you can limit the websites that it is allowed to visit. You could even go as far as only allowing it to connect to the local host, but likely anything ‘on campus’ would be fine. I’m assuming you are using some sort of image management solution (Ghost, at the very least). So once you get an image setup it shouldn’t be that bad to maintain and deploy. And if something does become exploited, you can can re-image the machine. Configure the NAT to not allow any traffic to come from that private network other than ports 80 and 443 (and any other legitimate port that you need). that way if a machine does become compromised it can’t do (much) harm outside of your private XP network. If you need AD authentication you can set that all up in the ACLs for the network as well so that they can only contact a specific authentication server. If you absolutely needed to you could even put an auth server on the same private network that has a trust back to your main auth servers. Put 2 network interfaces in it and it can live on 2 networks so you don’t have to poke a hole through your private networks ACLs to get back to the main auth servers. Its not an ideal situation, but if you can’t afford new machines and you absolutely need to keep your XP machines running there are ways of doing it. But at what point does it become cost prohibitive with your time compared to investing in new hardware? If you don’t do something though, you’ll be spending all your time rebuilding compromised XP boxes eventually. Michael Bond mb...@the-forgotten.org On Mar 4, 2014, at 4:55 PM, Riley Childs rchi...@cucawarriors.com wrote: Not to stomp around, but 1 hour is a LONG time for an unpatched computer, especially when in close proximity to other unpatched computers! DeepFreeze is great, but it is not a long term solution, also starting next week you will get a nag screen every time you login telling you about the EOL. Riley Childs Student Asst. Head of IT Services Charlotte United Christian Academy (704) 497-2086 RileyChilds.net Sent from my Windows Phone, please excuse mistakes From: Benjamin Stewartmailto:benjamin.stew...@unbc.ca Sent: 3/4/2014 4:46 PM To: CODE4LIB@LISTSERV.ND.EDUmailto:CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Windows XP EOL Hello everyone (I have been in IT for 25+ years, k-7 for 15 years and now 10 months UNBC Library) If I worked for an organization that did not have the money to go either replacement Win7 or Linux desktop for usability issues. I would contact Faronics and get a deal for educational licenses to install Deepfreeze. Then setup all workstation basic accounts and to reboot if idle for 1 hour. (and shut down, startup between set times) Deepfreeze also has a remote console to unfreeze and refreeze for maintenance to the workstation. (e.g. browser updates flash adobe) This in hand with PDQ deploy/inventory works very nice. (Basic version free) Last option would (no possible for most places) contact the Dell official lease site via direct or eBay. (there is a Canada and US supplier) You can by nice 780 Dell with win7 pro for about $140 with shipping. Some companies like Dell of HP have be know to also donate to non-profit. ~Ben System Administrator Geoffrey R. Weller library UNBC, BC Canada PH (250) 960-6605 benjamin.stew...@unbc.ca On 2014-03-04, 11:12 AM, Ingraham Dwyer, Andy adw...@library.ohio.gov wrote: I would
Re: [CODE4LIB] Windows XP EOL
On Mar 5, 2014, at 15:37, Marc Truitt mtru...@mta.ca wrote: Perhaps that's why several contributors to this thread have suggested that M$' EOL declaration aside, why give it up? XP, I'll miss ya... XP: The new DOS 3.3? -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
Re: [CODE4LIB] Proquest search api?
The document you want to request from ProQuest support was called Federated-Search.docx when they sent it to me. This will address many of your documentation needs. ProQuest used to have an excel spreadsheet with all of the product codes for the databases available for download from http://support.proquest.com/kb/article?ArticleId=3698source=articlec=12cid=26, but it appears to no longer be available from that source. ProQuest support should be able to answer where it went when you request the federated search document. You may receive multiple 856 fields for Citation/Abstract, Full Text, and Scanned PDF: =856 41$3Citation/Abstract$uhttp://search.proquest.com/docview/... =856 40$3Full Text$uhttp://search.proquest.com/docview/... =856 40$3Scanned PDF$uhttp://search.proquest.com/docview/... I would suggest that rather than relying on the 2nd indicator, you should parse subfield 3 instead to find the format that you prefer. You see the multiple 856 fields in the MARC records for ProQuest holdings as well, as that is how ProQuest handles coverage gaps in titles, so if you have ever processed ProQuest MARC records before, you should be already prepared for this. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Feb 17, 2014, at 10:28, Jonathan Rochkind rochk...@jhu.edu wrote: I still haven't managed to get info from Proquest support, but thanks to off list hints from another coder, I have discovered the Proquest SRU endpoint, which I think is the thing they call the XML gateway. Here's an example query: http://fedsearch.proquest.com/search/sru/pqdtft?operation=searchRetrieveversion=1.2maximumRecords=30startRecord=1query=title%3D%22global%20warming%22%20AND%20author%3DCastet For me, coming from an IP address recognized as 'on campus' for our general Proquest access, no additional authentication is required to use this API. I'm not sure if we at some point prior had them activate the XML Gateway for us, likely for a federated search product, or if it's just this way for everyone. The path component after /sru, pqdtft is the database code for Proquest Dissertations and Theses. I'm not sure where you find a list of these database codes in general; if you've made a succesful API request to that endpoint, there will be a diagnosticMessage element near the end of the response listing all database codes you have access to (but without corresponding full English names, you kind of have to guess). The value of the 'query' parameter is a valid CQL query, as usual for SRU. Unfortunately, there seems to be no SRU explain response to tell you what fields/operators are available. But guessing often works, title, author, and date are all available -- I'm not sure exactly how 'date' works, need to experiment more. The CQL query param above un-escaped is: title=global warming AND author=Castet Responses seem to be in MARCXML, and that seems to be the only option. It looks like you can tell if a full text is available (on Proquest platform) for a given item, based on whether there's an 856 field with second indicator set to 0 -- that will be a URL to full text. I think. It looks like. Did I mention if there are docs for any of this, I haven't found them? So, there you go, a Proquest search API! Jonathan On 2/12/14 3:44 PM, Jonathan Rochkind wrote: Aha, thinking to google search for proquest z3950 actually got me some additional clues! Sites that are currently using Z39.50 to search ProQuest are advised to consider moving to the XML gateway. in Google snippets for: http://www.proquest.com/assets/downloads/products/techrequirements_np.pdf Also If you are using the previous XML gateway for access other than with a federated search vendor, please contact our support center at www.proquest.com/go/migrate and we can get you the new XML gateway implementation documentation. Okay, so now I at least know that something called the XML Gateway exists, and that's what I want info on or ask about! (Why are our vendors so reluctant to put info on their services online?) I am not a huge fan of z3950, and am not ordinarily optimistic about it's ability to actually do what I need, but I'd use it if it was all that was available; in this case, it seems like Proquest is recommending you do NOT use it, but use this mysterious 'XML gateway'. On 2/12/14 3:29 PM, Eric Lease Morgan wrote: On Feb 12, 2014, at 3:22 PM, Jonathan Rochkind rochk...@jhu.edu wrote: I feel like at some point I heard there was a search API for the Proquest content/database platform. While it may not be the coolest, I’d be willing to bet Proquest supports Z39.50. I used it lately to do some interesting queries against the New York Times Historical Newspapers Database (index). [1] Okay. I know
Re: [CODE4LIB] EZProxy changes / alternatives ?
For me it’s a little more concrete, and a little less abstract when it comes to why a viable alternative to EZproxy is necessary. It has very little to do with the cost of EZproxy itself, and much more to do with support, features, and functionality. There exists a trivial DoS attack against EZproxy that I reported to OCLC about 2 years ago, and has not been addressed yet. Native IPv6 support by EZproxy has slipped by years now. I have patrons using IPv6 for access today that I want to provide a better experience than forcing them to use a 6to4 gateway at their ISP. You cannot proxy https to http with EZproxy to secure the patron to proxy side of the proxy communication, increasing your patron’s privacy. I have requested that OCLC make a minor change to their existing AD authentication support to enable generic LDAP/Kerberos authentication that was denied because “no one wants it”. Since they support AD, 95% of the code required already exists, and would make a lot more sense than some of the other authentication schemes that EZproxy already supports. This closes the door on integration with eDirectory, IPA, SUN Directory Server, OpenLDAP, etc. for no good reason. OCLC has been the steward of EZproxy for over 5 years now, and in that time, they are yet to fully document the software. Every few months some new obscure configuration option gets discussed on the EZproxy list that I’ve never seen before, and I have been working with this software for over a decade now. This is not only limited to existing configuration options, either — there was no documentation on the new MimeFilter option when it was first introduced. I would have expected that the IT staff at OCLC that is managing the EZproxy service would have demanded full documentation by now, and that documentation would have been released to customers as well. EZproxy does not cluster well. The peering support is functional, but not seamless when there is a failure. When a proxy in the server pool goes down, the patron is prompted for authentication again when they land on a new proxy server, since EZproxy does not share session state. External load balancers cannot fix this problem, either, for the same reason. EZproxy does not support gzip compression, causing library access use an additional 80-90% bandwidth for textual content (HTML, CSS, JS, etc). EZproxy does not support caching, causing library access to use an additional 30-50% additional bandwidth for cacheable web assets. (And yes, you can park a cache in front of EZproxy to offset this, which is how I collected the 30-50% numbers, but doing so breaks the “it’s easy and just works” model that EZproxy promises.) Combine the lack of gzip support with the lack of caching support, and you are looking at around a 60-80% overall increase in bandwidth consumption. When you have a user community measured in hundreds of users, things like gzip compression and caching may not matter as much, but when your user community is measured in the hundreds of thousands of patrons, these things really do matter, and mean the difference between doubling your bandwidth costs this year, or deferring that expense 5-7 years down the road. So it’s not _just_ $500 per year when you take a step back and look at the bigger picture. It’s $500 per year, plus the per Mb cost of your internet connection — both inbound and outbound — which can be measured in hundreds of dollars per month for larger sites. If you could could cut that by 2/3 just by switching to a different proxy solution, that might get your attention, even if you shifted the $500/yr support costs to a different entity. Imagine never hearing “wow this library network is slow” again because a web page that used to load 1MB of content was able to gzip that down to 600KB, and 300KB of that content was served off the local proxy server, leaving just 300KB to pull off the remote server. How much is a better user experience worth to you? Bottom line: competition is good. Just look at how Internet Explorer is almost a sane browser now, thanks largely to competition from Firefox and Chrome. If coming up with a viable alternative to EZproxy using open source tools causes a security, features, and functionality arms race, then everyone wins. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jan 31, 2014, at 18:43, Kyle Banerjee kyle.baner...@gmail.com wrote: On Fri, Jan 31, 2014 at 3:10 PM, Salazar, Christina christina.sala...@csuci.edu wrote: I think though that razor thin budgets aside, the EZProxy using community is vulnerable to what amounts to a monopoly. Don't get any ideas, OCLC peeps (just kiddin') but now we're so captive to EZProxy, what are our options if OCLC wants to gradually (or not so gradually) jack up the price? Does
Re: [CODE4LIB] EZProxy changes / alternatives ?
EZproxy is a self-installing statically compiled single binary download, with a built-in administrative interface that makes most common administrative tasks point-and-click, that works on Linux and Windows systems, and requires very little in the way of resources to run. It also has a library of a few hundred vendor stanzas that can be copied and pasted and work the majority of the time. To successfully replace EZproxy in this setting, it would need to be packaged in such a way that it is equally easy to install and maintain, and the library of vendor stanzas would need to be developed as apache conf.d files. Re: nginx from another reply in this thread, I am keeping my eye on it for future projects, but one thing it does not have currently is the wealth of Apache modules. Some of the authentication that is commonly used in a library setting are supported by existing Apache modules, while nginx does not support them. Since it was developed with a different set of priorities, supporting things like Athens/CAS/SAML were not the main focus of nginx historically. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jan 31, 2014, at 12:43, Timothy Cornwell tc...@cornell.edu wrote: I have an IT background and some apache proxy experience, and it seems fairly easy - for me. I understand it may not be for libraries with limited IT resources. I am not at all familiar with EZProxy, so I have to ask: What is it about EZProxy that makes it attractive for those libraries with limited IT resources? -T -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Kyle Banerjee Sent: Friday, January 31, 2014 12:14 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] EZProxy changes / alternatives ? Many good ideas in this thread. One thing I'd just like to throw out there is that there are some ideas that may be good to distribute in the form of virtual machines and this might be one of them. Proxying is needed by practically all libraries and takes little in terms of systems resources. But many libraries with limited IT resources would have trouble implementing alternatives to ezproxy -- especially if they have to use authentication features not supported by Apache HTTPD. Even for those who do have enough staff time, it seems kind of nuts to have everyone spending time solving the same problems. kyle On Fri, Jan 31, 2014 at 5:43 AM, Ryan Eby ryan...@gmail.com wrote: There was actually a breakout in 2011? Code4lib discussing Apache and using it as a proxy. I believe Terry Reese and Jeremy Frumkin, then from Oregon?, were the ones leading it. There was lots of interest but I'm not sure if anything took off or if they have documentation somewhere of how far they got. I remember it being about getting something a consortia of libraries could use together so may have been more complex requirements than what is looked for here. http://wiki.code4lib.org/index.php/Can_we_hack_on_this:_Open_Extensibl e_Proxy:_going_beyond_EZProxy%3F -- Ryan Eby
Re: [CODE4LIB] EZProxy changes / alternatives ?
for testing: Location “/badpath” ProxyHTMLEnable Off SetOutputFilter INFLATE;dummy-html-to-plain ExtFilterOptions LogStdErr Onfail=remove /Location ExtFilterDefine dummy-html-to-plain mode=output intype=text/html outtype=text/plain cmd=“/bin/cat -“ So what’s currently missing in the Apache HTTPd solution? - Services that use an authentication token (predominantly ebook vendors) need special support written. I have been entertaining using mod_lua for this to make this support relatively easy for someone who is not hard-core technical to maintain. - Services that are not IP authenticated, but use one of the Form-based authentication variants. I suspect that an approach that injects a script tag into the page pointing to javascript that handles the form fill/submission might be a sane approach here. This should also cleanly deal with the ASP.net abominations that use __PAGESTATE to store sessions client-side instead of server-side. - EZproxy’s built-in DNS server (enabled with the “DNS” directive) would need to be handled using a separate DNS server (there are several options to choose from). - In this setup, standard systems-level management and reporting tools would be used instead of the /admin interface in EZproxy - In this setup, the functionality of the EZproxy /menu URL would need to be handled externally. This may not be a real issue, as many academic sites already use LMS or portal systems instead of the EZproxy to direct students to resources, so this feature may not be as critical to replicate. - And of course, extensive testing. While the above ProQuest stanza works for the main ProQuest search interface, it won’t work for everyone, everywhere just yet. Bottom line: Yes, Apache HTTPd is a viable EZproxy alternative if you have a system administrator who knows their way around Apache HTTPd, and are willing to spend some time getting to know your vendor services intimately. All of this testing was done on Fedora 19 for the 2.4 version of HTTPd, which should be available in RHEL7/CentOS7 soon, so about the time that hard decisions are to be made regarding EZproxy vs something else, that something else may very well be Apache HTTPd with vendor-specific configuration files. -- Andrew Anderson, Director of Development, Library and Information Resources Network, Inc. http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes On Jan 29, 2014, at 14:42, Margo Duncan mdun...@uttyler.edu wrote: Would you *have* to be hosted? We're in a rural part of the USA and network connections from here to anywhere aren't great, so we try to host most everything we can. EZProxy really is EZ to host yourself. Margo -Original Message- From: Code for Libraries [mailto:CODE4LIB@LISTSERV.ND.EDU] On Behalf Of stuart yeates Sent: Wednesday, January 29, 2014 1:40 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] EZProxy changes / alternatives ? The text I've seen talks about [e]xpanded reporting capabilities to support management decisions in forthcoming versions and encourages towards the hosted solution. Since we're in .nz, they'd put our hosted proxy server in .au, but the network connection between .nz and .au is via the continental .us, which puts an extra trans-pacific network loop in 99% of our proxied network connections. cheers stuart On 30/01/14 03:14, Ingraham Dwyer, Andy wrote: OCLC announced in April 2013 the changes in their license model for North America. EZProxy's license moves from requiring a one-time purchase of US$495 to a *annual* fee of $495, or through their hosted service, with the fee depending on scale of service. The old one-time purchase license is no longer offered for sale as of July 1, 2013. I don't have any details about pricing for other parts of the world. An important thing to recognize here, is that they cannot legally change the terms of a license that is already in effect. The software you have purchased under the old license is still yours to use, indefinitely. OCLC has even released several maintenance updates during 2013 that are available to current license-holders. In fact, they released V5.7 in early January 2014, and made that available to all license-holders. However, all updates after that version are only available to holders of the yearly subscription. The hosted product is updated to the most current version automatically. My recommendation is: If your installation of EZProxy works, don't change it. Yet. Upgrade your installation to the last version available under the old license, and use that for as long as you can. At this point, there are no world-changing new features that have been added to the product. There is speculation that IPv6 support will be the next big feature-add, but I haven't heard anything official. Start
