grouper-dev - [grouper-dev] Draft Minutes: Grouper call 14-Aug-2013
Subject: Grouper Developers Forum
List archive
- From: Emily Eisbruch <>
- To: "" <>
- Subject: [grouper-dev] Draft Minutes: Grouper call 14-Aug-2013
- Date: Wed, 21 Aug 2013 18:54:18 +0000
- Accept-language: en-US
|
Draft Minutes: Grouper call 14-Aug-2013
Attending
Tom Barton, U. Chicago (Chair)
Jim Fox, U. Washington
Bill Thompson, Unicon
Chris Hyzer, U. Penn
Shilen Patel, Duke
Dave Langenberg, U. Chicago
Emily Eisbruch, Internet2, scribe
Action Items: Grouper call 14-Aug-2013
New Action Items
[AI] (Chris) set up a wiki page showing security patch history (Done)
[AI] (Emily) add the new Grouper-Announce list info to the "Gruoper Mailing Lists" page the Grouper website (Done)
[AI] (Emily) add the Grouper-Announce list info to the Software Download page and remove the security info at bottom of that page (Done)
[AI] (Emily) mention to Dean a possible IAM Online based on the security working group activity Bill mentioned within the CAS community. (Done)
[AI] (Dave) draft a message about Grouper Security patches generally going back 3 releases, and share this draft with the Grouper-core list
[AI] (Chris) look at the Opt-in / Opt-out problem
https://bugs.internet2.edu/jira/browse/GRP-930
Carry Over Action Items
[AI] (Chris) inform the list about the new security form and the Grouper-Announce list (when form has been tested and linked to the wiki and/or web)
[AI] (Chris) prepare Grouper 2.1.5 release
{AI] (Dave) touch base with TomZ around PSP support issues
[AI] (Dave) contact SURFnet for architecture diagrams etc. (additional follow up may be required)
[AI] (Andrew) let us know what emerges from the Apereo security notification process work.
[AI] (Shilen) email the Grouper-users lists to ask who is using the legacy attributes and ask how they are using them
DISCUSSION
Grouper-Announce List
SteveO has set up the
list for announcing security fixes.
Emily will add the Grouper-Announce list to the software downloads page: (done)
Security Report Form
Chris has set up a wiki page listing Grouper security patches.
SteveO has created a new form for reporting security issues at
This security issue report form needs to be tested and also linked to from the appropriate pages.
Once this is done, Chris will send out a note to the Grouper-users list about the new Grouper-Announce list and the new security issue form.
Grouper Web Service Security Patch and Opt in /Opt Out
Shilen fixed the Web Services issue around deleting an attribute.
Chris noted that there was a related Opt-in Opt-out issue.
[AI] (Chris) look at the Opt-in / Opt-out problem
https://bugs.internet2.edu/jira/browse/GRP-930
How many Versions Back to Patch?
How far back should we go back with security patches? Web services started at 1.4 or 1.5, so the practice to date has been
to go back and patch old versions.
Several sites are still funning 1.5 and 1.6.
Jim suggested that an official "end of life" should be established for a version. The Shibboleth project does this.
Bill suggested that in an open source project, since there is no license fee being paid, there is no guarantee of support. It is still good to have a reasonable
strategy. Rule of thumb is to be sure to patch the version that the majority of the community is using. Users using an old version may want to do their own patch and make it available.
Decision: Announce that we go back 3 major versions (roughly 3 years) with security patches. This sets expectations and encourages sites to upgrade.
Right now that would mean v2.1, v2.0, and v1.6.
Then after the release of Grouper 2.2, the supported versions would be v2.2, v2.1 and v2.0
This info should be mentioned:
-on the Grouper Software Download page.
-on the Security Reporting Page
Bill: important to make it clear that as an open source project, there is no contractual obligation for support. This is community support.
One of the often-mentioned benefits of open-source software is to get off cycle of forced upgrades that proprietary vendors can sometimes impose.
There are subtle differences that we should keep in mind in the language we use around this topic.
Language like "For your planning purposes, we wanted to let you know that we are trying our best to maintain the last 3 major revs"
DaveL will work on a draft and share it with the Grouper Core list.
[AI] (Dave) draft a message about Grouper Security patches generally going back 3 releases, and share this draft with the Grouper-core list
Bill noted that the CAS community has started a group to look at Security issues.
Bill will send a note to the Grouper-useres list about this.
https://lists.internet2.edu/sympa/arc/grouper-users/2013-08/msg00018.html
There will be a presentation on this at AppSecUSA 2013 in November.
http://appsecusa.org/2013/schedule/ [AI] (Emily) mention to Dean a possible IAM Online based on the security working group activity Bill mentioned within the CAS community. (Done)
Update on Pen Testing at U. Penn.
Chris reported that Pen Testing is going well at U. Penn
Grouper 2.2 Development
-Shilen will return to working on the legacy attribute migration once the web services patch work is done.
-Chris will return to work on the Grouper 2.2 UI soon.
-It was agreed that it makes sense to focus on the new membership API method (Java chaining of criteria for a query) in Grouper 2.2 and remove the privilege resolver
approach.
Target: **** Release Grouper 2.2 around January 2014 ******
Upcoming Meetings
Next Grouper call: 28-August-2013 at noon ET
Emily Eisbruch, Technology Transfer Analyst
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749
Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2 Become a Fan on Facebook: www.internet2.edu/facebooknot on t |
- [grouper-dev] Draft Minutes: Grouper call 14-Aug-2013, Emily Eisbruch, 08/21/2013
Archive powered by MHonArc 2.6.16.