Hello idpy Board members!
Our board slate for 2023 remains unchanged. Thank you to everyone who agreed to continue as board members!
• Heather Flanagan (Spherical Cow Group)
• Ivan Kanakarakis (SUNET, lead architect for Satosa, pySAML)
• Leif Johansson (SUNET)
• Roland Hedberg (independent, original developer and architect)
• Christos Kanellopoulos (GÉANT)
• Chris Whalen (individual contributor)
• Mike Jones (Director OIDF, author of OIDC and JWT and OAuth)
With that done, we need to get our annual board meeting on the agenda. I have put together a doodle poll to try and find a time next month. Please fill out the poll by Monday, 23 January 2023.
https://doodle.com/meeting/participate/id/enRxyole
Thanks! Heather
Wrongly sent only to Christos.
> Begin forwarded message:
>
> From: Roland Hedberg <roland(a)catalogix.se>
> Subject: Re: [Idpy-board] satosa - oidc
> Date: 24 October 2022 at 15:20:06 CEST
> To: Christos Kanellopoulos <christos.kanellopoulos(a)geant.org>
>
> Christos,
>
> It goes without saying that I’d prefer us to use the eduTEAMS implementation.
> Given the effort you have put into it, it’s at the top of the list.
> But, we need it to be public.
>
> I’d prefer that you would just publish what you have and we can go from there.
> That you have a private branch where your higher demands on software quality is met is not a problem to me.
>
> If you plan to wait until idpy-oidc has stopped changing then you will have to wait forever. Or at least until I stop being
> responsible for the package.
>
> There is always going to be new RFCs, Internet drafts, OIDF standards and industry specifications that we want/need to support
> if we want to be noteworthy. And that forces us to add/rewrite/refactor idpy-oidc.
>
> I try to keep people informed about such changes at the bi-weekly idpy meetings.
>
> The standards I’m working on right now are CIBA and OIDC Federation. Both of which demand some basic changes..
>
> Please send me an invite to your Thursday call and let's go from there.
>
>> 24 okt. 2022 kl. 14:56 skrev Christos Kanellopoulos <christos.kanellopoulos(a)geant.org>:
>>
>> Hello Roland,
>>
>> Of course, we do not have to use the eduTEAMS implementation. Having said this, once again we are hindered by the the changes in the underlying libraries. In September the development team has migrated the frontend to the new OP library, but our testing has showing that the new implementation is not stable for production use. At this point we are not sure whether it is a problem in the OP libary or the way it was integrated. I believe we will have more information on Thursday about this. Perhaps Ivan can say more about this.
>>
>> We have already given access to a number of people in the private repository, but we have not seen any contributions yet. I would be happy to add you and/or other trusted people in the private repository and also invite you in our Thursday call if you have the time to help in realising a stable version that we can open source.
>>
>> Christos
>>
>> On 24 Oct 2022, at 14:34, Roland Hedberg wrote:
>>
>>> Sorry for the confusion! I meant satosa-pyoidc not satosa-oidcop.
>>>
>>>> 24 okt. 2022 kl. 10:23 skrev Roland Hedberg <roland(a)catalogix.se>:
>>>>
>>>> Hi!
>>>>
>>>> This situation with EduTEAMs not releasing their satosa-idpy-oidc integration is really hurting IdPy.
>>>>
>>>> I think we should give up on EduTEAMs and instead bring in Giuseppe’s implementation.
>>>>
>>>> As long as we keep satosa-oidcop on line as the ‘official’ IdPy SATOSA-OIDC package we loose a lot of
>>>> help in making our own OIDC implementation better.
>>>>
>>>> — Roland
>>> _______________________________________________
>>> Idpy-board mailing list -- idpy-board(a)lists.sunet.se
>>> To unsubscribe send an email to idpy-board-leave(a)lists.sunet.se
>>
>
Hi!
This situation with EduTEAMs not releasing their satosa-idpy-oidc integration is really hurting IdPy.
I think we should give up on EduTEAMs and instead bring in Giuseppe’s implementation.
As long as we keep satosa-oidcop on line as the ‘official’ IdPy SATOSA-OIDC package we loose a lot of
help in making our own OIDC implementation better.
— Roland
Attendees:
Leif, Christos, Roland, Ivan, Mike, Heather
Regrets:
Chris
Notes
1. Agenda Bash
2. Board Nominations
a. 3 slots, currently filled by Leif, Christos, and Heather, will be open
• Note that Heather’s role is also “At-Large Director of Identity Python"
• Heather to send a note to REFEDS about the board nominations as well as to idpy-discuss
3. Approving updated policies
a. idpy project policy - https://github.com/IdentityPython/Governance/blob/master/idpy-projects.md
A. Should we be more specific about how much the tests should cover? Common numbers are 80% coverage. Yes, will add that.
B. Add a note about IPR and licensing, saying what's expected and pointing back to the main statutes as the canonical source
C. Should we add that we want a direction where all dependencies are maintained within idpy? Where strategic direction is more solidly align? We are still at a stage where we still maintain flexibility. We should be a supportive framework to get the job done than legislate what it means to be a project.
D. Add a note about incident handling
b. idpy incident response policy - https://github.com/IdentityPython/Governance/blob/master/idpy-incidentrespo…
A. Main changes was to explicitly take advantage of GitHubs incident management tools
B. See also the new FAQ: https://idpy.org/security/
c. Heather will send the revised policies to idpy-discuss and to Commons Conservancy
4. AOB
Thanks! Heather
Hello all!
As mentioned in the previous email, I’d like to get a Board call on the calendar. The agenda will include discussing the updates to the Project and Incident Response policies, a review of the security incident early this year, and a review of the Board seats for 2021.
https://doodle.com/poll/vbdd4qywd6askvqc
Please fill out the poll by Wednesday, 3 March.
Thanks! Heather
Hello idpy Board members!
Over the last few months, the idpy developers group has discussed what structure idpy projects should commonly follow. This discussion was inspired by the question of whether we should bring in a new project, djangosaml2, under the umbrella of Identity Python.
Also over the last few months, we have had the opportunity to exercise the incident response policy. Some items listed in the incident response policy did not take into account the incident handling tools that GitHub natively provides.
As a result of all those conversations, Ivan and I (with feedback from the developers) have updated our governance policies. You can see the proposed changes in the Governance repository:
https://github.com/IdentityPython/Governance
If you click on idpy-incidentresponse.md and idly-projects.md, there is a “History” link that will let you see the PR that included all the proposed changes.
Please take a moment to review the proposed changes. We’ll discuss and (if we managed to get everyone on a call) vote in an upcoming Board meeting. I’ll send out a separate doodle poll to set that up.
Thanks! Heather
On Mon, 25 Jan 2021 at 17:15, Heather Flanagan
<hlflanagan at sphericalcowgroup.com> wrote:
>
> On Jan 25, 2021, 2:36 AM -0800, Leif Johansson <leifj at sunet.se>, wrote:
>
> Good answers. I don't think we should claim to provide a complete list of all
>
> software packages but there is no harm in saying that we know of several (list)
>
> and these were part of the initial notification process to prepare them for
>
> new relase
>
> We could also say that this is an open source library available via GitHub; we have no way of knowing all the deployments that use it. And perhaps we can take this as an opportunity to point people to https://idpy.org/security/.
>
OK, I am planning to send the final email later, today.
For the last question I will answer something along the lines of the
following (I welcome any other feedback):
> - 5. Finally, what other software/packages utilize pysaml2 ?
pysaml2 is an open source project and community effort. We have a page
dedicated to security on our website here https://idpy.org/security/
and we urge all users of our software to read it and subscribe to the
appropriate channels to stay up to date.
We do know of projects that use pysaml2 and members of some of those
projects are in direct communication with us, regarding issues and
features. Towards the wider community we gave a two-week notice that
an issue has been reported, asking everyone to prepare for an upgrade.
Throughout the project lifetime, a network of trusted community
members has grown organically, and those were given access to more
information and early patches to test and provide feedback.
Projects like SAtoSA, djangosaml2, UniAuth as well as software and
services based on pysaml2 managed by educational institutions and
research organizations, like eduTEAMS and InAcademia, were updated
swiftly and some were already running the patched version even before
it was released.
Cheers,
--
Ivan Kanakarakis
On Jan 25, 2021, 2:36 AM -0800, Leif Johansson <leifj at sunet.se>, wrote:
> On 2021-01-21 11:56, Ivan Kanakarakis wrote:
> > Hello,
> >
> > On Thu, 21 Jan 2021 at 11:17, Leif Johansson <leifj at sunet.se> wrote:
> > >
> > > On 2021-01-20 21:38, Ivan Kanakarakis wrote:
> > > > Hello everyone,
> > > >
> > > > I just received the following email with questions on the recent
> > > > vulnerabilities of pysaml2.
> > > > The news site is https://www.bleepingcomputer.com/
> > > >
> > > > Should we answer?
> > > > and should we answer all questions?
> > >
> > > I think we should answer but ask to see the writeup so you can help get the
> > > details right.
> > >
> >
> > This sounds like a better strategy. Below, I am answering the email
> > and questions to kickstart this process.
> > I am skeptical if we should answer the last question.
>
> Good answers. I don't think we should claim to provide a complete list of all
> software packages but there is no harm in saying that we know of several (list)
> and these were part of the initial notification process to prepare them for
> new relase
>
We could also say that this is an open source library available via GitHub; we have no way of knowing all the deployments that use it. And perhaps we can take this as an opportunity to point people to https://idpy.org/security/.
-Heather
Hello everyone,
I just received the following email with questions on the recent
vulnerabilities of pysaml2.
The news site is https://www.bleepingcomputer.com/
Should we answer?
and should we answer all questions?
Cheers,
PS: for those of you did not see our new page on the website, have a
look at the security section: https://idpy.org/security/
---------- Forwarded message ---------
From: Lawrence Abrams <labrams at bleepingcomputer.com>
Date: Wed, 20 Jan 2021 at 22:22
Subject: Press questions regarding the Pysaml2 vulnerability
To: <ivan.kanak at gmail.com>, <info at idpy.org>
I am a security reporter for the technology news site BleepingComputer.
In regards to your pysaml2 security advisory released today for
vulnerabilities CVE-2021-21238 and CVE-2021-21239.
1. Is it known if these vulnerabilities have been exploited in the
wild? If so, can you share how?
2. For CVE-2021-21238, would this allow an attacker to tamper a signed
file as long as the original legitimate signature is the first
keyvalue element?
3. For CVE-2021-21239, a signed document would be valid if the same
type of key is present in the document?
4. In what ways do you see these vulnerabilities being exploited and
are these critical enough that they should be updated immediately?
5. Finally, what other software/packages utilize pysaml2 ?
Thank you
Lawrence Abrams
BleepingComputer.com
--
Ivan c00kiemon5ter Kanakarakis >:3
