10 4 2021 Tech Team Report - QualitativeDataRepository/TechnicalTeam GitHub Wiki

10-4-2021

Logged Tasks

                            Date             Task Hours (Main) Hours (EOLS) Hours (PII)
27-Sep-2021 Report, check re: Sword vulnerability, ext. curation labels review feedback, meeting 2
28-Sep-2021 Find mail opt in debut date, update prod /login-history report to include opt-in status, start addressing ext curation label feedback 5
29-Sep-2021 Update metrics to fix js 404s, finish curation label PR changes 4
30-Sep-2021 Review latest ext. label feedback/fix doc 1

Summary

Dataverse

  • Responded to review feedback on the external curation label PR and added documentation and tests

Operations:

  • Check logs re: use of Sword APIs and worked with Don@Odum to assess the potential impact of a security issue in a Sword library dependency and whether/how to disable those APIs. There is no use of these APIs in the logs. It is not clear if Dataverse is vulnerable - the current Sword library dependency looks like it is old enough to predate when the flaw was introduced. Any attack would involve the creation of a new dataset which should be obvious in QDR. For these reasons I didn't immediately block these APIs but it should be possible to block them via an Apache config change if desired.
  • Explored the commit and deployment logs to figure out when the mail opt-in functionality was deployed to production (so an email can be sent to people who's accounts were created before then). I also updated the login-history report on prod to include the opt-in yes/no response (no is also shown for those who's accounts predate the feature). (I fixed a couple other inconsistencies between dev, stage, and prod for this report as well.)
  • Updated the QDR prod metrics page - it was broken due to the d3/d3plus 1.x Javascript libraries no longer being hosted by their creators (only 2.x libraries are hosted now). I downloaded local copies and updated the URLs to match to restore the metrics page (FWIW: the same fix is a PR in the datasets-metrics repo as the problem affected all instances including the main dataverse.org community-wide metrics page.)

Discussion

  • Nothing new: Software updates: Ready for php 8 deploy, with postgres 9.6->13 at any time.

Plans

  • Dataverse
    • still want to investigate the guestbook responses re version info not being included.
  • Accessibility issues - only Dataverse issues remain
  • Verify that mysql is OK on prod
  • Anno-Rep work
    • Help with deployment to dev
  • TBD: FRDR Security
  • Other tasks as discussed in strategic planning