Attendees:
Heather, Roland, Christos, Ivan, Mike, Leif, Chris
Action items:
*
Heather to draft the survey text re: Note Well (assuming the board
votes in February to agree to using a Note Well rather than a formal
CLA)
*
Ivan to update the Security Incident Response plan to indicate that
issues will be logged and kept indefinitely
*
Heather to send out a calendar invite for TIIME and a doodle poll
for the call after that.
Notes:
1.
Signing Board Participation agreement
2.
*
Still waiting on legal approval to do this (Mike). Can not make
any formal decisions until this is done.
3.
CLA or Note Well?
4.
*
Expect to handle existing contributors and new contributors
differently.
*
o
We can always ask all existing contributors if they think
they had permission to contribute code via the note well
(rather than sign a CLA). “Here is the Note Well we’re
adopting for all future contributions. D you believe you
have any problems accepting this? Do you believe you might
not have been able to accept it for your previous
contribution?"
o
If individuals don’t respond, may need to consider what to
do otherwise. We will send the survey, send a reminder, then
start trying for personal contacts. And if none of that
works, we’ll consider what code they’ve submitted and
determine if we can do it a different way. Some of their
code might already have been redone so we aren’t as in an
urgent a situation with regards to their contribution.
*
What about the JOT libraries? This shouldn’t be a problem since
only Roland has contributed. The OIDF might want a CLA from
Roland (that is a separate conversation).
*
Leif strongly in favor of a Note Well (see draft here:
https://github.com/IdentityPython/Governance) rather than a
traditional CLA. We want it to be easy for people to contribute;
there is an expense when lawyers are brought in, and lawyers
often don’t understand what we’re trying to do.
5.
Commons Conservancy
6.
*
Christos has been discussing this within GEANT. GEANT does not
have a final answer regarding IPR, but should have a final
answer by the end of this week. They needed clarification that
all the idpy material would remain in the open source domain.
7.
TIIME?
8.
*
Roland and Mike will not be there; will dial them in from 4pm to
5pm CET (last hour of the developers meeting)
*
We should create an e-vote mechanism; perhaps launch at a
meeting and let it extend for 3 days for people not able to attend.
*
Agenda: voting on CLA, Note Well text, IPR, possibly an update
from the developers meeting, talk about how to use an intern
9.
Adding new projects to idpy
10.
*
pyFF split - the JavaScript component on the front end does not
fit into idpy; that component belongs with the RA21 governance
group. The backend remains part of idpy. This kind of evolution,
since it’s not entirely removing the project, a Board decision.
Leif withdraws his request.
*
FYI
https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-…
11.
Incident Response
12.
*
Ivan has created the incident-response list. Ivan will add the
board members to this list, as well as some of the key
developers for the various projects within idpy.
*
o
This came up as result of the following almost-bad security
issue: https://github.com/IdentityPython/pysaml2/issues/578
*
There should be a page on the website re: how we recognize
security research. (Some researchers contact developers
expecting bug bounties. We can’t pay for this, but we can offer
‘payment’ in terms of recognition.) Look at SUNET’s website for
an example.
https://www.sunet.se/security-researcher-acknowledgments-for-sunet-services/
*
o
Heather to follow up on this and add it to the website.
o
Ivan to update (and Chris to review) the security incident
response plan to be explicit that each item is logged and
kept indefinitely in GitHub.
13.
Next call - Heather to send out a doodle poll for end of
February/beginning of March
On Mon, 25 Jan 2021 at 17:15, Heather Flanagan
<hlflanagan at sphericalcowgroup.com> wrote:
>
> On Jan 25, 2021, 2:36 AM -0800, Leif Johansson <leifj at sunet.se>, wrote:
>
> Good answers. I don't think we should claim to provide a complete list of all
>
> software packages but there is no harm in saying that we know of several (list)
>
> and these were part of the initial notification process to prepare them for
>
> new relase
>
> We could also say that this is an open source library available via GitHub; we have no way of knowing all the deployments that use it. And perhaps we can take this as an opportunity to point people to https://idpy.org/security/.
>
OK, I am planning to send the final email later, today.
For the last question I will answer something along the lines of the
following (I welcome any other feedback):
> - 5. Finally, what other software/packages utilize pysaml2 ?
pysaml2 is an open source project and community effort. We have a page
dedicated to security on our website here https://idpy.org/security/
and we urge all users of our software to read it and subscribe to the
appropriate channels to stay up to date.
We do know of projects that use pysaml2 and members of some of those
projects are in direct communication with us, regarding issues and
features. Towards the wider community we gave a two-week notice that
an issue has been reported, asking everyone to prepare for an upgrade.
Throughout the project lifetime, a network of trusted community
members has grown organically, and those were given access to more
information and early patches to test and provide feedback.
Projects like SAtoSA, djangosaml2, UniAuth as well as software and
services based on pysaml2 managed by educational institutions and
research organizations, like eduTEAMS and InAcademia, were updated
swiftly and some were already running the patched version even before
it was released.
Cheers,
--
Ivan Kanakarakis
On Jan 25, 2021, 2:36 AM -0800, Leif Johansson <leifj at sunet.se>, wrote:
> On 2021-01-21 11:56, Ivan Kanakarakis wrote:
> > Hello,
> >
> > On Thu, 21 Jan 2021 at 11:17, Leif Johansson <leifj at sunet.se> wrote:
> > >
> > > On 2021-01-20 21:38, Ivan Kanakarakis wrote:
> > > > Hello everyone,
> > > >
> > > > I just received the following email with questions on the recent
> > > > vulnerabilities of pysaml2.
> > > > The news site is https://www.bleepingcomputer.com/
> > > >
> > > > Should we answer?
> > > > and should we answer all questions?
> > >
> > > I think we should answer but ask to see the writeup so you can help get the
> > > details right.
> > >
> >
> > This sounds like a better strategy. Below, I am answering the email
> > and questions to kickstart this process.
> > I am skeptical if we should answer the last question.
>
> Good answers. I don't think we should claim to provide a complete list of all
> software packages but there is no harm in saying that we know of several (list)
> and these were part of the initial notification process to prepare them for
> new relase
>
We could also say that this is an open source library available via GitHub; we have no way of knowing all the deployments that use it. And perhaps we can take this as an opportunity to point people to https://idpy.org/security/.
-Heather
Hello everyone,
I just received the following email with questions on the recent
vulnerabilities of pysaml2.
The news site is https://www.bleepingcomputer.com/
Should we answer?
and should we answer all questions?
Cheers,
PS: for those of you did not see our new page on the website, have a
look at the security section: https://idpy.org/security/
---------- Forwarded message ---------
From: Lawrence Abrams <labrams at bleepingcomputer.com>
Date: Wed, 20 Jan 2021 at 22:22
Subject: Press questions regarding the Pysaml2 vulnerability
To: <ivan.kanak at gmail.com>, <info at idpy.org>
I am a security reporter for the technology news site BleepingComputer.
In regards to your pysaml2 security advisory released today for
vulnerabilities CVE-2021-21238 and CVE-2021-21239.
1. Is it known if these vulnerabilities have been exploited in the
wild? If so, can you share how?
2. For CVE-2021-21238, would this allow an attacker to tamper a signed
file as long as the original legitimate signature is the first
keyvalue element?
3. For CVE-2021-21239, a signed document would be valid if the same
type of key is present in the document?
4. In what ways do you see these vulnerabilities being exploited and
are these critical enough that they should be updated immediately?
5. Finally, what other software/packages utilize pysaml2 ?
Thank you
Lawrence Abrams
BleepingComputer.com
--
Ivan c00kiemon5ter Kanakarakis >:3
