TAG: August 10, 2022 - Islandora/islandora-community GitHub Wiki

Zoom link: https://us02web.zoom.us/j/968367412

Host key can be found in the description of the TAG Slack channel.

Attending:

  • Willow Gillingham
  • Amy Blau
  • Luke Taylor
  • Don Richards
  • Isabella Nikolaidis

Agenda

  • Security Workflow
    • possibly opening TAG channel to emails

Interest Group Updates

Islandora Events

Action Items

Meeting Minutes

  • Security Workflow

    • Luke: Due to the nature of it, didn't feel it was appropriate to post publicly anywhere
    • When security issues come up there needs to be some sort of back channel to get a plan together so it can be released in a way where we have fix, fix merged, advisory put together
    • Once upon a time there was a security email - should we revive that and have a policy to say that if you have a security issues or vulnerabilities and you'd like to bring it to the foudnation's email here
    • Don: We have a disclosure process but the documentation for it is in an interest group that is no longer
    • https://github.com/islandora-interest-groups/Islandora-Security-Interest-Group/wiki/Disclosure-Policy
    • Private message in tag channel or those reviewing the fix
  • The only time google groups is brought in is when the fix is published

  • Luke: Security announcement needs to be where CoC or procedures are

    • Put a posting up on slack saying here's where it is
  • Luke, Don volunteers to be a part of this security response

    • Someone from Born-digital might be interested as well - Gavin?
  • Luke: To the TAG group?

    • Don: not all people in security response were available to be in tag
  • #security-response channel is open/public

  • Amy: Helpful to add a google form for security reports?

    • make sure submissions aren't viewable publicly
  • Luke: What types of CI/CD testing we're running on Islandora proper? There are Drupal testing tools that likely could have caught the previous

    • Drupal sniffs
  • Willow: Is this php pcs? It's a great utility to make your tool or make your code have dependency injections, standardized drupal requirements?

    • You could activate specific standards, ex. Drupal would be one of them
  • Luke: What CI/CD is already in place?

  • Luke: Github action that kicks off or spins a ocntainer that runs codesniffer?

  • Don: Ultimately does pull you over to actions - security or actions takes you to actions - then under the Actions list is Security

Where should security contact email be listed?

  • Willow: On Drupal site, module installs, info file for the dependencies
    • Link to our security page/directions once moved
  • Luke: Link in footer of islandora.ca
  • Don: The process for submitting a ticket - to prevent people accidentally reporting security breach - add a new template to report security vulnerability - do not report! Go [here] instead ...
  • Luke: https://www.islandora.ca/contact-us#comms-channels